Exago Logo
Generic filters
Exact matches only

Security Checklist

There are a number of precautions that should be taken before running Exago in a production environment.

This article mentions several Admin Console settings. There are matching configuration file nodes and API properties that can be used for modifying these settings as well. For more information, review the Config File XML Reference and Config File and API Setting Reference articles.


This article references <WebApp>/, <WebSvc>/ and <Sched>/as a placeholder for the Web Application, Web Service API and Scheduler Service’s install location respectively. The default install location is C:\Program Files\Exago\ExagoWeb (/opt/Exago/ on Linux), C:Program Files\Exago\ExagoWebApi ( /opt/Exago/WebServiceApi/ on Linux) or C:\Program Files\Exago\ExagoScheduler (/opt/Exago/Scheduler/ on Linux); however, these directories can be changed during installation.

Set an External Temp Path

The Temp directory contains working data that may contain sensitive information. If the Temp Path configuration setting is left blank, Exago will default to a Temp folder at the root of the installation directory. This is not recommended because it could expose temporary data to web access.

The Temp Path should be set to a location outside of the Exago installation (and behind the server’s firewall). Set the Temp Path in Admin Console > General > Main Settings > Temp Path.

Disable Direct Access

Access to Exago should be curated through the API so that user permissions can be set via Roles or the Storage Management identity system. Users should not be able to access the home page directly, which would bypass role restrictions. To disable direct access to Exago, set the Admin Console > General > Main Settings > Allow direct access to Exago (bypassing API) to False.

Set Configuration and API Credentials

A User ID, Password, and REST Key should be set in the configuration. This safeguards access to the Admin Console and REST API. See REST API for information on accessing a password-protected web service. To do so, set values for the following settings:

Remove the XML Configuration File

The Admin Console generates two copies of the base configuration: a plain-text XML file, typically WebReports.xml and an encrypted version WebReports.xml.enc. Plain-text config files may contain sensitive information, such as database connection strings, schemas, usernames, and passwords.

When your config settings have been finalized, the plain-text config file should be removed from the Config folder and saved in a secure location.

Remove the Admin Console

The Admin Console should not be accessible in a production environment. To permanently remove the Admin Console, in each installation:

  1. Delete <WebApp>\Bin\admin.aspx.cdcab7d2.compiled


Admin.aspx can be deleted as well, or edit it to show a static error message.

Encrypt Scheduler Service Working Data


This section applies only in environments where at least one Scheduler Service is in use.

Each Scheduler Service stores working data in a local temporary folder. For security, this data should be encrypted. In each Scheduler Service’s configuration file:

  1. Set the <encrypt_schedule_files> setting to True. For example:
  2. Restart the Scheduler Service

Disable SOAP Web Service API


This section applies only in environments where the REST Web Service API is in use. If the .NET API is being used instead, the REST Web Service may not be installed. It may be uninstalled if it will not be used.

If you are using the REST Web Service API, disable the SOAP API to prevent any unauthorized requests. To do so, in each instance of the Web Service API:

  1. Delete <WebSvc>\Bin\api.asmx.cdcab7d2.compiled


Api.aspx can be deleted as well, or edit it to show a static error message.

Set Additional Response Header Flags When Using Content Security Policy

When using Content Security Policy (CSP) rules with the web server, set these additional HTTP Response Headers to insure compatibility with Exago BI:

default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';

Instructions to configure the web server with these headers can be found at the links below:

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Table of Contents