1. Developing Integrated Spreadsheets Using Oracle Visual Builder Add-in for Excel
  2. Security Best Practices

17 Security Best Practices

When using the Oracle Visual Builder Add-in for Excel, follow these security-related best practices and recommendations.

Security Guidelines

Follow these best practices:
  • Update the add-in to the latest version available.
  • Restrict access to Excel documents containing sensitive data.
  • Consider adding passwords to workbooks to further reduce exposure.
  • Always use HTTPS endpoints instead of HTTP.
  • Do not use basic authentication.
  • Ensure that the latest Windows updates and security patches have been applied to the computers where you install the add-in.
  • Turn off older obsolete security protocols such as SSL.
  • Also, consider using Excel's Inspect Workbook feature to review and remove your personal information from the workbook before you distribute it. Do this for un-published workbooks. You access the Inspect Workbook feature from Excel's File menu. Clear the check box next to the Hidden Worksheets entry in the Document Inspector where you choose the content to inspect and potentially remove. You must not remove hidden worksheets from the Excel workbook that you distribute. The add-in uses hidden worksheets to integrate the Excel workbook with the REST service.

Basic Authentication

The add-in supports basic authentication. When using REST service endpoints protected by basic authentication, the user is prompted for credentials when the add-in connects to the endpoint. When used with HTTP, basic authentication is not secure. Basic authentication should only be used with HTTPS, and preferably only in non-production environments.

JSON Web Token

In addition to basic authentication, the add-in also supports authentication for REST services exposed by Fusion applications that use the JSON Web Token (JWT) relay servlet. No configuration is required by you. The add-in automatically detects whether the Fusion application's service has the /anticsrf and /tokenrelay endpoints configured. The add-in then displays a pop-up browser window and navigates to the hosting web application's login page. When the user provides valid credentials, the pop-up automatically closes and access to the service can proceed using the token obtained during the login sequence.

Use of the JSON Web Token (JWT) relay servlet is only available for Fusion applications, as the path to the token relay service that the add-in uses is specific to Fusion applications.

Note:

In this release of the add-in, using self-signed certificates with the JWT relay servlet will not work. A valid certificate issued from a well-known root certificate authority should work fine with the JWT relay servlet.