17 Security Best Practices

When using Oracle Visual Builder Add-in for Excel, follow these security-related best practices and recommendations.

Security Guidelines

Follow these best practices:

• Update the add-in to the latest version available.
• Restrict access to Excel documents containing sensitive data.
• Consider adding passwords to workbooks to further reduce exposure.
• Always use HTTPS endpoints instead of HTTP.
• Do not use basic authentication.
• Ensure that the latest Windows updates and security patches have been applied to the computers where you install the add-in.
• Turn off older obsolete security protocols, such as SSL.
• Consider using Excel's Inspect Workbook feature (available on Excel's File menu) to review and remove personal information from the workbook before you distribute it. When you use the Document Inspector, make sure the Hidden Worksheets check box is not selected. You must not remove hidden worksheets, because the add-in uses hidden worksheets to integrate a workbook with the REST service.

Basic Authentication

The add-in supports basic authentication:

• When using REST service endpoints protected by basic authentication, the user is prompted for credentials when the add-in connects to the endpoint.
• When used with HTTP, basic authentication is not secure. Basic authentication should only be used with HTTPS, and preferably only in non-production environments.

JSON Web Token

In addition to basic authentication, the add-in also supports authentication for REST services exposed by Fusion applications that use the JSON Web Token (JWT) relay servlet. No configuration is required by you. The add-in automatically detects whether the Fusion application's service has the /anticsrf and /tokenrelay endpoints configured. The add-in then displays a pop-up browser window and navigates to the hosting web application's login page. When the user provides valid credentials, the pop-up automatically closes and access to the service can proceed using the token obtained during the login sequence.

Use of the JSON Web Token (JWT) relay servlet is only available for Fusion applications, as the path to the token relay service that the add-in uses is specific to Fusion applications.

Note:

In this release of the add-in, using self-signed certificates with the JWT relay servlet will not work. A valid certificate issued from a well-known root certificate authority should work fine with the JWT relay servlet.

TLS Security

When the add-in connects to a REST endpoint using HTTPS, the add-in enables the system default behavior for TLS to determine which TLS protocol is to be used. Because the add-in runs within the Excel process, it cannot rely entirely on the .NET 4.7 default setting to do this. To ensure that the system default behavior is in effect, the add-in sets the AppContext.DontEnableSystemDefaultTlsVersions property to false for the current app domain.

See the following Microsoft documentation:

• If your app targets .NET Framework 4.7 or later versions
• Configuring security via AppContext switches (for .NET Framework 4.6 or later versions)