Database Front | Security Scan

Security Scan

You can find the results of the security scan in the last tab of the System Monitor. The specific items in the security scan will link back to the specific topics below, where you can find more details, including a fix if required.

Each item includes a Common Vulnerability Scoring System (CVSS) score noted as Risk.

Severity Rating Scale (First.org)

No Threat	Low	Medium	High	Critical
0.0	0.1 - 3.9	4.0 - 6.9	7.0 - 8.9	9.0 - 10.0

NOTE: Many of the issues are Low Risk by themselves, but hackers will often combine low-risk attack vectors to either distract or advance their attacks.

Prevent site takeover with a CAA DNS Record

Check the DNS entries for the application domain and verify that a CAA record is present. This check does not validate the CAA record itself.

A CAA record decreases the risk that another Certificate Authority will issue an alternate SSL certificate, which could be used to perform an MTM attack or create a phishing site.

To fix this issue, you should update the DNS at your specific registrar.

Version	Vector	Risk
3.1	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N	3.9

Server Binding Check

Check if the site accepts invalid Host headers by submitting a request with an invalid but legal domain name. If the server rejects the request with a status code between 400 and 499, then it is considered successful, and the server is secure.

To secure your server, you need to set up explicit named binding in IIS for each website listed in your sites. It is possible to set up multiple bindings for the same IP and Port.

You likely need to include a binding for your primary domain (e.g. demo.dbFront.com), and for "localhost" to enable testing and configuration from the local server.

Version	Vector	Risk
3.0	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N	5.4

Force SSL for Cookies

Depending on the Cookie contents, an insecure Cookie can represent a serious risk. dbFront will automatically force the use of Secure cookies on SSL connections, but this can be forced by specifying the following web.config setting.

Version	Vector	Risk
3.0	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N	3.1

Prevent Header Injection Attacks (Default: True)

Block Header Injection Attacks by encoding any newline characters in response headers.

Version	Vector	Risk
3.1	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N	5.3

Prevent Clickjacking Attacks by Restricting Page Embedding

Blocks the ability to host your web application in an iframe in order to ensure that a malicious host/user can't trick users into clicking on specific buttons without being aware.

Version	Vector	Risk
3.1	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N	4.4

Prevent MIME-sniffing attacks

Although dbFront makes a concerted effort to ensure that users can't upload / download invalid content where the MimeType does not match with internal file information (file signature / magic number), it is always possible that preexisting content or polyglot files can allow a dangerous file to be stored. Browsers can scan attachments and come to their own conclusion about how to display or execute a file that could result in attacks. By preventing MIME sniffing, this attack vector is closed.

Version	Vector	Risk
3.1	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N	3.1

Disallow cross-domain policy files

Block the use of possibly overly permissive policy files, which could be used to gain unexpected access to local resources.

Version	Vector	Risk
3.1	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N	3.7

Limit the Referrer information included with redirect requests

Ensure that the browser won't send sensitive information to third-party sites via the referrer header.

Version	Vector	Risk
3.0	AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N	3.1

Force HTTPS usage

Force your website to always communicate via SSL or TLS to ensure that no sensitive information is leaked.

Version	Vector	Risk
3.0	AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	6.5

Require a Content-Security-Policy to Limit the Attack Surface

dbFront will simply require the presence of a Content-Security-Policy. Content security policies can be quite complex and depend heavily on your website's dependencies. The example below is from our Demo site, which uses some Google fonts and allows for the option of using a CDN for the jQuery UI themes.

The Content-Security-Policy also includes "frame-src https://dbFront.com" to allow access to the embedded help.

If you review the Response Headers for dbFront 1.4.2++, you will also notice that dbFront dynamically specifies a Content-Security-Policy fragment that requires that all script tags have a NONCE. This is inserted to block any attempts to insert malicious code.

As you design your content security policy, you can use the following tool to evaluate your work. CSP Evaluator

Version	Vector	Risk
3.0	AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	3.7

Manage access to browser features to enhance security and privacy

The HTTP Permissions-Policy response header allows websites to deny the use of browser features in a document or within any  elements in the document.</p> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><tt><configuration><br />    <system.webServer><br />       <httpProtocol><br />         <customHeaders><br />           <add name="Permissions-Policy" value="camera=(), microphone=(), geolocation=(), fullscreen=()" /><br />         </customHeaders><br />       </httpProtocol><br />    </system.webServer><br /> </configuration></tt></div> <h4>Further Reading:</h4> <ul> <li><a href="https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md" target="_blank">W3C - Permissions Policy Explained</a></li> <li><a href="https://www.tenable.com/plugins/was/98526" target="_blank">Tenable - Missing Permissions Policy</a></li> </ul> <table class="cvssDetails"> <thead> <tr> <th>Version</th> <th>Vector</th> <th>Risk</th> </tr> </thead> <tbody> <tr> <td>n/a</td> <td>Informational</td> <td class="riskLow">Not Zero</td> </tr> </tbody> </table> </div> <div class="linktarget" id="hidedotnet"> <h3>Limit exposure by removing ASP.NET version details</h3> <p>Prevent your server from being too free with its version information.</p> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><tt><configuration><br />    <system.webServer><br />       <httpProtocol><br />         <customHeaders><br />           <remove name="X-AspNet-Version" /><br />         </customHeaders><br />       </httpProtocol><br />    </system.webServer><br /> </configuration></tt></div> <h4>Further Reading:</h4> <ul> <li><a href="https://www.troyhunt.com/shhh-dont-let-your-response-headers/" target="_blank">TroyHunt - Limit Response Headers</a></li> </ul> <table class="cvssDetails"> <thead> <tr> <th>Version</th> <th>Vector</th> <th>Risk</th> </tr> </thead> <tbody> <tr> <td>3.0</td> <td>Informational</td> <td class="riskLow">Not Zero</td> </tr> </tbody> </table> </div> <div class="linktarget" id="hidepoweredby"> <h3>Limit exposure by removing Powered-By header</h3> <p>Prevent your server from being too free with its version information.</p> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><tt><configuration><br />    <system.webServer><br />       <httpProtocol><br />         <customHeaders><br />           <remove name="X-Powered-By" /><br />         </customHeaders><br />       </httpProtocol><br />    </system.webServer><br /> </configuration></tt></div> <h4>Further Reading:</h4> <ul> <li><a href="https://www.troyhunt.com/shhh-dont-let-your-response-headers/" target="_blank">TroyHunt - Limit Response Headers</a></li> </ul> <table class="cvssDetails"> <thead> <tr> <th>Version</th> <th>Vector</th> <th>Risk</th> </tr> </thead> <tbody> <tr> <td>3.0</td> <td>Informational</td> <td class="riskLow">Not Zero</td> </tr> </tbody> </table> </div> <div class="linktarget" id="hideserver"> <h3>Limit exposure by removing Server Header</h3> <p>Prevent your server from being too free with its version information.</p> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><tt><configuration><br />    <system.webServer><br />       <security><br />         <requestFiltering removeServerHeader="true"><br />       </security><br />    </system.webServer><br /> </configuration></tt></div> <h4>Further Reading:</h4> <ul> <li><a href="https://www.troyhunt.com/shhh-dont-let-your-response-headers/" target="_blank">TroyHunt - Limit Response Headers</a></li> </ul> <table class="cvssDetails"> <thead> <tr> <th>Version</th> <th>Vector</th> <th>Risk</th> </tr> </thead> <tbody> <tr> <td>3.0</td> <td>Informational</td> <td class="riskLow">Not Zero</td> </tr> </tbody> </table> </div> <div class="linktarget" id="trial"> <h2>Additional Reading</h2> <ul> <li><a href="/penetrationtesting#webconfig">Example Secure Root Web.config</a></li> <li><a href="https://securityheaders.com" target="_blank">Test your Security Headers</a></li> <li><a href="https://medium.com/@dev.mjdhanesh/boosting-security-with-asp-net-core-http-headers-3b26a8d3fdfd" target="_blank">Medium - Boosting Security with ASP.NET Core HTTP Headers</a></li> <li><a href="https://scotthelme.co.uk/hardening-your-http-response-headers" target="_blank">ScotHelme - Hardening your HTTP response headers</a></li> <li><a href="https://arminreiter.com/2020/10/website-hardening-with-http-security-headers/" target="_blank">ArminReiter - Website Hardening with HTTP Security Headers</a></li> <li><a href="https://wiki.mozilla.org/Security/Guidelines/Web_Security" target="_blank">Mozilla - Web Security/Guidelines/Web Security</a></li> </ul> </div> <div class="linktarget" id="trial"> <h2>Free Trial</h2> <p>dbFront offers a 30-day free trial so that you can download, install, and test it out in your environment.  Please review the <a href="/video-tutorials">video tutorials</a> and plan to start a <a href="/download">free trial</a> today.  We believe you will be impressed.</p> </div>  <div class="footer clearfix"> <p class='left'>Published on <time datetime="2025-12-05" itemprop="published">December 5th, 2025</time></p> <p class='right'><a href="https://dbfront.com/" >dbFront</a> © 2014-2025 / <a href='privacypolicy'>Privacy Policy</a> / <span class='sdg' title='Soli Deo Gloria'>SDG</span></p> </div> </section> </article>  <aside id="sidebar">   <div class="section features"> <h2>dbFront Features</h2> <ul> <li><a href="/supported-dbs">Oracle, MS Sql Server and MySql</a></li> <li><a href="/security">Layered Security</a></li> <li><a href="/themes">Easy to theme</a></li> <li><a href="/quickreports">Quick Reports</a></li> <li><a href="/features">... more features ...</a></li> </ul> <a class="button orange" href="/demo2" style="font-size:14px;text-shadow:none;">Live Demo</a> <a class="button blue" href="/download" style="font-size:14px;text-shadow:none;">Download Now</a><div>Subscribe if you want to receive security & release updates for dbFront.</div> <a class="button orange" href="/subscribe" style="font-size:14px;text-shadow:none;">Subscribe</a> </div>  <div class="section"><div class="prevnext"><a href='/systemmonitor' title='Previous'><div class='prev'> </div></a> <a href='/user-list-truncated' title='Next'><div class='next'> </div></a></div><h2>Related Items</h2><ul><li>Security Scan</li></ul></div> <div class="section reviews"> <h2>Reviews</h2> <p id="randomReview"> </p> <script> var reviewsjson = [ { id: 'aa20171213', author: 'Alex Abbott', short: 'A very quick and efficient means to put a front end on a database', date: 'Dec 13, 2017' }, { id: 'jh20170524', author: 'Joe Hutchings', short: 'Where has this been all my life?!', date: 'May 24, 2017' }, { id: 'jm20161229', author: 'Jennifer Marcum', short: 'We Finally Found the Best Fit!', date: 'Dec 29, 2016' }, { id: 'cg20161121', author: 'Colin Graham', short: 'Excellent - It\'s what the database community has been looking for for years!', date: 'Nov 21, 2016' }, { id: 'ab20160629', author: 'Al Belmondo', short: 'Great product.. Needed assistance connecting to my domain and azure and support was awesome. Software is an excellent solution for a quick way to have a front end to your DB.', date: 'Jun 29, 2016' }, { id: 'ks201802', author: 'Kevin Smith', short: 'Only just started using this but it\'s very easy to use and if there are any issues the support is fantastic. Looking forward to getting more in depth with the programme.', date: 'Feb 2018' }, { id: 'kw201709', author: 'Kevin Wendlandt', short: 'The application is easy to install, fits within out supported platforms, easy to configure, and the support is awesome. This has been the app we\'ve been looking for and needed for many years!', date: 'Sept 2017' }, { id: 'kw201802', author: 'Kevin Woodbrey', short: 'The most outstanding aspect of dbFront is their customer service and response time to problems and new features. They have shown that it is possible to provide an excellent product and great customer service at an affordable price point.', date: 'Feb 2018' }, { id: 'jh201805', author: 'Jamie H.', short: 'Great product for a low price vs the competition.', date: 'May 2018' }, { id: 'ut201806', author: 'Ulf T', short: 'Great webfront to our databases! Been looking for something like this for a long time when I found Dbfront. It does everything I need and a lot more!', date: 'May 2018' }, { id: 'xa201811', author: 'Xander77', short: 'We tried to create our own solution and dbFront offers more features, has a friendlier interface and is generally a huge improvement over what we\'d managed to make.', date: 'Nov 2018' }, { id: 'ac201903', author: 'Ashic', short: 'The support is excellent, almost like a personal treat..', date: 'Mar 2019' }, { id: 'sa201905', author: 'Shawn Armstrong', short: 'Once I got the db connected, setting the UI up to my requirements was a breeze.', date: 'May 2019' }, { id: 'dl202005', author: 'Dipampatel', short: 'Excellent product! The customer service and help from Anthony is amazing!!', date: 'May 2020' }, { id: 'cr202011', author: 'CDR', short: 'This is a very versatile and easy to use product to give you a well laid out front end to your database. And the support is fantastic!', date: 'Nov 2020' }, { id: 'rg202101', author: 'Rob Greatrex', short: 'dbFront is now a primary tool in our day to day business practice.', date: 'Jan 2021' }, { id: 'af202105', author: 'AF', short: 'dbFront has allowed us to centralize our data and improve many business processes.', date: 'May 2021' }, { id: 'nh202203', author: 'Nadine H.', short: 'I liked the ease of implementation especially for someone who had little background in the development of a web form.', date: 'March 2022' }, { id: 'ks202203', author: 'Karin S.', short: 'It\'s awesome and constantly improving. I would be lost without it!', date: 'March 2022' }, { id: 'ds202209', author: 'David S.', short: 'Once up and running, everything is lightening fast.', date: 'September 2022' }, { id: 'sb202401', author: 'Scott B.', short: 'Ease of use, quick setup, accesses SQL Server Express without issue.', date: 'January 2024' }, { id: 'jr202403', author: 'Johnathan R.', short: 'Tons of features and the team is incredibly supportive...', date: 'March 2024' } ]; var hasLocalStorage = function () { try { x = '__storage_test__'; localStorage.setItem(x, x); localStorage.removeItem(x); return true; } catch(e) { return false; } }(); function showNextReview() { try { var reviewId = (hasLocalStorage) ? localStorage.getItem("ReviewId") : undefined; if (typeof reviewId == "undefined") reviewId = Math.floor(Math.random() * reviewsjson.length); reviewId++; if (reviewId >= reviewsjson.length) reviewId = 0; if (hasLocalStorage) localStorage.setItem("ReviewId", reviewId); var review = reviewsjson[reviewId]; document.getElementById('randomReview').innerHTML = '<a href="/reviews#' + review.id + '" class="reviewLink">' + '<blockquote>' + '<p>' + review.short + '</p>' + '<cite>' + review.author + '   (review ' + (reviewId + 1) + ' of ' + reviewsjson.length + ')</cite>' + '</blockquote></a>'; } catch (e) { // statements to handle any exceptions console.log('ReviewSpinnerError:' + e); } } showNextReview(); if ( window.location.pathname == '/' || window.location.pathname == '/index.php') { setInterval(showNextReview, 5000); } </script> <a class='reviewsLinks' target='_blank' style='display:none;' href="https://www.bbb.org/ca/ab/edmonton/profile/computer-software/dbfront-works-0117-193945/#sealclick"> <div style="width:200px;height: 100px;background: url('https://seal-edmonton.bbb.org/logo/ruhzbul/bbb-193945.png') no-repeat left top;;" ></div> </a> <a class='reviewsLinks' target='_blank' href="https://www.linkedin.com/products/bigideasltd-dbfront/"> <img src='/images/linkedin.jpg' alt="" style='width:160px;border:1px black solid;' onerror="this.style.display='none'"' /> </a> <a class='reviewsLinks' target='_blank' href='https://www.capterra.com/database-management-software/reviews/143165/dbFront/dbFront%20Works?utm_source=vendor&utm_medium=badge&utm_campaign=capterra_reviews_badge'> <img border='0' src='https://assets.capterra.com/badge/3afe69a862cdc0bec0ca5f48564e612c.png?v=2101267&p=143165' alt="" onerror="this.style.display='none'"' /></a> <script> /* Save the Referral Code if given */ function saveReferral() { try { var referralCoupon = (window.location.hash||'').toUpperCase().split('#COUPON:')[1]; if (!referralCoupon || !hasLocalStorage) return; var contentEl = document.getElementById("dialogContent"); contentEl.innerHTML = '<div style="text-align:left">' + '<img src="https://dbfront.com/images/gift.png" style="float:left;width:80px;padding-right: 10px;"></img>'+ '<div style="float:left;width:280px;text-align: left;"><h2>We Saved Your 10% Off Referral Coupon</h2>'+ '<div style="color:#888;">'+ '<p style="padding-top:10px">You can continue to explore dbFront. We will automatically apply your coupon when you register your copy of dbFront.</p>'+ '<p style="padding-top:10px;font-weight:bold">Referral Coupon: ' + referralCoupon + '</p></div></div><div style="clear:both;"/></div>'; localStorage.setItem("referralcoupon", referralCoupon); window.location.hash = ''; dialogOpen(); } catch(ex) { console.err(ex); } }; $(function(){ if (!hasLocalStorage) return; saveReferral(); /* Load the form element if found and empty */ var couponCode = localStorage.getItem("referralcoupon"); if (couponCode) { var $referralCoupon = $('#referralcoupon'); if ($referralCoupon.length && !$referralCoupon.val()) { $referralCoupon.val(localStorage.getItem("referralcoupon")); localStorage.removeItem("referralcoupon"); } } }); </script> </div> <div class="section" id="socialmedia" > <h2>Connect</h2> <div class="icons"> <a href="https://twitter.com/dbFront"><img src="https://dbfront.com/theme/Innovation/assets/images/twitter.png" alt="twitter"/></a><a href="https://www.linkedin.com/company/dbfront"><img src="https://dbfront.com/theme/Innovation/assets/images/linkedin.png" alt="linkedin"/></a> </div> </div> <div class="section blog"> <h2>Blog</h2> <iframe src="/blog.php" frameborder="0" scrolling="no">

Server Outage Notice: dbFront.com will be transfering to a new Server on Friday 25th @ 7pm MST

Security Scan

Security Scan

Prevent site takeover with a CAA DNS Record

Further Reading:

Server Binding Check

Further reading:

Force SSL for Cookies

Further Reading:

Prevent Header Injection Attacks (Default: True)

Further Reading:

Prevent Clickjacking Attacks by Restricting Page Embedding

Further Reading:

Prevent MIME-sniffing attacks

Further Reading:

Disallow cross-domain policy files

Further Reading:

Limit the Referrer information included with redirect requests

Further Reading:

Force HTTPS usage

Further Reading:

Tenable - Missing HTTP Strict Transport Security Policy

Require a Content-Security-Policy to Limit the Attack Surface

Further Reading:

Manage access to browser features to enhance security and privacy