Security instructions
This page provides an overview of how to secure a Camunda Optimize installation. For Camunda's security policy, a list of security notices, and a guide on how to report vulnerabilities, visit the general security documentation.
This guide also identifies areas where we consider security issues to be relevant for the Camunda Optimize product and list those in the subsequent sections. Compliance for those areas is ensured based on common industry best practices and influenced by security requirements of standards like OWASP Top 10 and others.
- Camunda 7
- Optimize
- Database
Optimize does not operate on its own, but needs the Camunda 7 engine to import the data from and Elasticsearch to store the data. A detailed description of the setup can be found in the architecture overview guide.
The BPMN with its process engine is a full standalone application which has a dedicated security guide. The sections that are of major importance for the communication with Optimize are: enabling authentication for the REST API and enabling SSL/HTTPS.
Optimize already comes with a myriad of settings and security mechanism by default. In the following you will find the parts that still need manual adjustments.
Disable HTTP
For security reasons, we recommend using Optimize over HTTPS and disabling HTTP. You can disable HTTP by setting the HTTP property in the container settings to an empty/null value. Consult the respective section in the configuration guide for the more details.
Fine tune Optimize security headers
Over time, various client-side security mechanisms have been developed to protect web applications from various attacks. Some of these security mechanisms are only activated if the web application sends the corresponding HTTP headers in its server responses.
Optimize adds several of these headers which can be fine-tuned in the configuration to ensure appropriate security.
Authentication
Camunda 7 onlyAuthentication controls who can access Optimize. Read all about how to restrict the application access in the user access management guide.
Authorization
Camunda 7 onlyAuthorization controls what data a user can access and change in Optimize once authenticated. Authentication is a prerequisite to authorization. Read all about how to restrict the data access in the authorization management guide.
Optimize stores its data in Elasticsearch or OpenSearch, which are search engines that act as a document-based datastore. To protect access to this data, the database should be configured carefully as well. Refer to the official security guidelines for ElasticSearch or OpenSearch.
Within the Optimize configuration, you can then enable SSL and/or the credentials to be used when Camunda Optimize connects to the database. See Elasticsearch Security or OpenSearch Security for details.