Security Notes
Password Storage
Content Fusion stores user passwords in a hashed format to prevent them from being stored as plain text. The password hashes are stretched and salted to provide more security against brute-force attacks.
HTTPS
Traffic toward/from Content Fusion is encrypted by default with an automatically generated certificate. The administrator should upload a valid HTTPS certificate for the Content Fusion hostname before exposing the service to users.
Incoming Connections
Content Fusion accepts connections on ports 80 and 443 for serving the Content Fusion Web UI and on port 9080 for serving the Administration Web UI. The machine that hosts Content Fusion should allow incoming connections on port 22 for SSH access.
Outgoing Connections
- Email server for notifications and password resets (see Content Fusion Enterprise Administration Page - Mail Tab for configuration details).
- LDAP server for LDAP authentication (see Content Fusion Enterprise Administration Page - Authentication Tab for configuration details).
Size Limits
Tasks have a configurable size limit (default is 1Gb) and a configurable file limit (default is 32767).
Information Exclusivity
Task owners can choose who has access to Content Fusion tasks. They can specify a list of allowed collaborators on a task or allow anyone with access to the link to collaborate.
OAuth2 Authentication
Content Fusion can be configured to allow users to authenticate using their Google or GitHub accounts. When users choose this authentication method, their accounts will not have a password. Authentication is delegated to either Google or GitHub, respectively.
Internal Connections
Content Fusion is composed of multiple internal services that communicate with each other. This communication is authenticated with passwords generated at installation time.
Transport Layer Security
Content Fusion supports TLS v1.2 and TLS v1.3. Note that support for v1.0 and v1.1 was removed.