Specifications
Print Controller Design Guide for Information Security:
Page 70 of 92
18. Web Applications
Web Server Framework
The MFP/LP Web Server was developed exclusively by Ricoh, Co. Ltd.
Encrypted Communication Support
• The Web server installed on the MFP/LP supports SSL communication. Since the MFP/LP is
accessed via an HTTPS connection, all input/output data is encrypted (incl. authentication ID,
password, and cookie). This allows for safe and secure communication between WebImageMonitor
and the MFP/LP. It is possible to set the MFP/LP so that it will reject HTTP-based communication,
which does not encrypt the data mentioned above, such that it will only accept HTTPS-based
communication.
User Authentication Support
• WebImageMonitor supports the access control functions described above in “Authenticaion/Access
Control”. These functions provide greater security by prohibiting unauthenticated users from
changing any settings as well as limiting the number of items that can be viewed.
Protection Against Cross-site Scripting (XSS)
• “Cross-site scripting” is a security threat that refers to the introduction of malicious script into the
data stored on a Web server with the purpose of causing the following damage when a valid user
accesses a Web page associated with that server.
User information is accessed, such as data stored in cookies
Files stored on the PC are accessed or destroyed
URL redirection to malicious Web sites
• As mentioned above, authentication is required before any changes to the MFP/LP settings can be
made from WebImageMonitor. This ensures that users without valid accounts are not able to
introduce script containing malicious data.
• The MFP/LP sanitizes all HTML data that is sent from an MFP/LP Web application to
WebImageMonitor. One of the strongest known countermeasures against cross-site scripting, data
sanitizing deletes or neutralizes selected character strings designed to function as HTML tags or
script.