Security best practices
When self-hosted SeekTable is used only for company's internal purposes (and you can control the access with VPN)
in most cases it is ok to use a default app configuration.
However, if on-premise SeekTable is accessible from internet and/or used to access reports that contain sensitive data you may follow best practices to avoid many security vulnerabilities:
- allow only HTTPS connections. For this purpose you need to use a reverse proxy server to handle incoming HTTPS traffic: this doc page explains how to setup NGINX as a reverse proxy (IIS can be used for the same purpose).
- set an unique value for
SeekTable_ST:PivotDataService:Jwt:IssuerSigningKeyString setting (the same value should be for
- disable public sign-up form (this is possible only if your installation has an active "System/users admin" subscription).
- enable storing of SHA256 hashes for user accounts 'access key' values with
Login form may be disabled at all when Active Directory SSO is configured.
In case of strong security requirements also it is possible to:
- enable JWT encryption for tokens generated by SeekTable app (
If reports are embedded with JWT auth token is generated on your side and you can encrypt it too.
- force strong JWT signing/encryption (use SHA512/AES256 instead of SHA256/AES128,
Some technical details that may be important if you need to pass a security audit:
- SeekTable installation uses its own SQLite DB file (stored on the docker volume). It is fully separated and isolated from cloud SeekTable.
- to make a full backup it is enough to make a copy of docker volumes (DB + uploaded CSV files).
- SeekTable uses a standard Microsoft library to generate (sign, encrypt) and validate JWT tokens (System.IdentityModel.Tokens.Jwt).
- SeekTable bult-in sign-on (login box) uses a standard MVC Core cookie-based authentication provider.
- When report is shared (with "Team Sharing" or published to web or embeded with iFrame) viewers cannot access cube's configuration details (like connection string or SQL query template) in any way.
- DB query can be affected only with explicitly-placed report parameters placeholders. SQL injections are not possible: parameters values are passed as ADO.NET command parameters (exception is usage of
Sql.Raw function in parameter's "Expression" - it should be used carefully).
- Self-hosted SeekTable doesn't collect any telemetry, and it doesn't require an internet connection to work.
Online activation of paid subscriptions require internet connection only on the application start; offline activation (via email) is possible to avoid any external requests.