Any Last Minute Security Details Before Going LIVE

Skip to first unread message

Sherry Lake

Mar 9, 2016, 9:44:32 AM3/9/16
to Dataverse Users Community
We are going "semi-live" (low key) on the 15th and want to make sure we have dealt with all security concerns.

The only thing I found is the note about running the post-install-api-block script. Anything else?

Sherry Lake

Philip Durbin

Mar 9, 2016, 10:01:36 AM3/9/16
The fix for hasn't made it into a release yet (I think it will make it into Dataverse 4.4) so setting the ":AllowSignUp" database setting to "no" or "false" doesn't work. This is warned about at . If you're planning on keeping ":AllowSignUp" as "yes" (the default), then there is no security problem.

In addition to blocking API endpoints (very important!!) also suggests enforcing HTTPS.

In some docs I'm working on at I mention the "BuiltinUsers.KEY" database setting. This string is necessary to create local users via API. You could delete or scramble it so it doesn't have the default value. Ensuring that "builtin-users" is in your list of blocked endpoints is even more secure.

I hope this helps. Let us know when you'd like your installation to be on the map at ! :)


You received this message because you are subscribed to the Google Groups "Dataverse Users Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply all
Reply to author
0 new messages