Ricoh Aficio SP C820DNT1 Design Guide - Page 69
Web Applications, 6-1 Web Server Framework
View all Ricoh Aficio SP C820DNT1 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 69 highlights
Print Controller Design Guide for Information Security 2-6 Web Applications 2-6-1 Web Server Framework The MFP/LP Web Server was developed exclusively by Ricoh, Co. Ltd. Encrypted Communication Support The Web server installed on the MFP/LP supports SSL communication. Since the MFP/LP is accessed via an HTTPS connection, all input/output data is encrypted (incl. authentication ID, password, cookie). This allows for safe and secure communication between WebImageMonitor and the MFP/LP. It is possible to set the MFP/LP so that it will reject HTTP-based communication, which does not encrypt the data mentioned above, such that it will only accept HTTPS-based communication. User Authentication Support WebImageMonitor supports the access control functions described above in "Authentication/Access Control". These functions provide greater security by prohibiting unauthenticated users from changing any settings as well as limiting the number of items that can be viewed. Protection Against Cross-site Scripting (XSS) "Cross-site scripting" (XXS) is a security threat that refers to the intentional introduction of malicious script into data stored on a Web server, with the intent to cause damage or loss as a result of a valid user accessing the Web content associated with that server. Potential damage from XXS includes such common security threats as: - User information is accessed, such as data stored in cookies - Files stored on the PC are accessed or destroyed - URL redirection to malicious Web sites As mentioned above, authentication is required before any changes to the MFP/LP settings can be made from WebImageMonitor. This ensures that users without valid accounts are not able to introduce script containing malicious data. The MFP/LP sanitizes all HTML data that is sent from an MFP/LP Web application to WebImageMonitor. One of the strongest known countermeasures against cross-site scripting, data sanitizing deletes or neutralizes selected character strings designed to function as HTML tags or script. Page 69 of 86