Security

This chapter describes how to run an Axon Ivy Engine in a safe way. This is important whether you provide an Ivy engine in a secure intranet environment or you make your engine accessible via the internet. Some parts need to be implemented by your IT Operations provider:

1. Run the Axon Ivy Engine behind a fully patched reverse proxy server (like NGINX, Apache HTTP Server or IIS).

2. Disable direct access to the Axon Ivy Engine.

3. Only allow access to the URLs of your application and block all other access.

4. Run the Axon Ivy Engine with a dedicated system user and database users with limited access rights.

5. Run the latest Axon Ivy Engine major version with all updates marked as security relevant.

6. Only serve users via HTTPS (configured on the reverse proxy).

7. Document and automate the server setup.

8. Ensure that the provider performs daily backups (database, relevant engine folders) which can also be restored…

Read more about other security tweaks which you can apply to your Axon Ivy Engine:

• Disable Features
• Permissions
• Security issues
• HTTP Headers
• CSRF Attack Prevention