SaaS CMS has officially launched! Learn more now.

Security Protocol/ Encryption for Content Delivery API

Vote:
 

Firstly I should say thanks for having a separate forum for Content Delivery API.

We are using Content Delivery API and our client security team asked us about the security protocol being used in the API (what kind of encryption does EpiServer use, is it TLS 1.0 / TLS1.2 etc)

#224743
Jun 24, 2020 23:07
Vote:
 

Hi,

Unless I've misunderstood what you're after, that sounds more like an infrastructure question than an Episerver one as the https protocol version is negotiated between the browser and the server, not the application. If Episerver handles your infrastructure via DXP, SSL is handled through CloudFlare who are pretty on-the-ball when it comes to the latest updates in security though what's supported will depend on configuration. In some configurations you can disable older SSL/TLS protocols which have known security issues leaving just TLS 1.2 and 1.3 (as required for certain levels of PCI compliance) but it's something you'd probably need to check with Episerver support. If you're hosting it yourself, it will entirely depend on how the servers/CDN have been configured.

#224746
Jun 25, 2020 8:13
Vote:
 

Thanks for the explanation Paul. We are using DXP hosting. My thought was same that it would probably be Cloudfare where encryption is handled. I thought however it would be better to see if anyone had further information on it.

#224770
Jun 25, 2020 14:27
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.