IMPORTANT SECURITY NOTES FOR PRODUCTION DEPLOYMENTS =================================================== When deploying a Lightstreamer Server instance in a production environment, please go through the following check list, to make sure that private information on the Server operations are not accessible to unauthorized people. 1) Completely remove the "Demo" folder inside the "adapters" folder. The pre-installed DEMO Adapter Set enables subscriptions to the internal Monitor Data Adapter. You might not want unauthorized clients to access the Monitor Data Adapter. 2) Completely remove the "demos" folder inside the "pages" folder. You might not want to show any demo pages in production. Furthermore, as it is recommended to host your pages on an external Web server, you can completely disable the Lightstreamer internal Web server by setting to N within the element in "lightstreamer_conf.xml". 3) Restrict access to the Monitor Console. The embedded Monitor Console is a handy tool to watch the status of Lightstreamer Server in real time. To prevent unauthorized people to access it, edit the element in "lightstreamer_conf.xml" as follows: - set to N - define at least a user id and a password - for further restrictions, you may want to: . isolate the Monitor Console on a different socket than that used for the external operations. In this case, set to N and define the server that should serve the Monitor requests; . change the default monitor URI, through 4) Restrict access to JMX. The Java Management Extensions (JMX) interfaces provide a standard means to monitor and administer Lightstreamer Server. You might want to restrict access to the following JMX TCP ports (configured in "lightstreamer_conf.xml") through your firewall: - (inside the block) (unset by default) - (inside the block) (8888 by default) - (inside the block) (unused by default) - (inside the block) (unset by default) 5) Configure cross-origin policies By default the Server is configured to allow access from any page even on foreign hosts by having the element set to N and containing an "allow all" rule. You might want to restrict access by reconfiguring such elements. Note anyway that those rules only apply to browser based javascript client connections and do not prevent in any way accesses from other kind of clients. 6) If you use HTTPS: a) Install the 256-bit cipher suites in the Java Virtual Machine, as in most countries such cipher suites need to be downloaded separately from Oracle/SUN site (search for "JCE Unlimited Strength Jurisdiction Policy Files"). b) Disable support for low encryption ciphers (that is, usually, those with key length smaller than 128 bits): - Set the "LightstreamerLogger.connections.ssl" logger in "lightstreamer_log_conf.xml" to DEBUG and look in the log file for all the enabled cipher suites. Decides which should be disabled, based on your own security policy. - Leverage the elements in "lightstreamer_conf.xml" and configure the cipher suites to disable. Note that the multiple lines are allowed; keeping the currently preconfigured line is also advisable.