Hello,

First, I apologize if this has been fixed in later versions.

We have recently performed a basic security audit and there are a couple of low-risk points of interest that if fixed, would make your product look better on subsequent audits.

The first is that the login page allows the browser to auto-complete, which means that sensitive information could be stored in the browser. I understand that for some users it may more of a feature, but in an enterprise environment this is a potential key to intellectual property. If you wish to accommodate your smaller users then perhaps make it an option in the administrative interface to turn on and off. The fix (if not already fixed in newer releases) may be as simple as adding an autocomplete=off in the form tag.

The second issue is that secure pages can be cached by the browser. Again, some customers may want this for some reason, but when intellectual property is at stake it is better to turn this off on the server side. A potential method is to set the HTTP header with:

'Pragma: No-cache' and 'Cache-control: No-cache'.

As a side note there seems to be potential for CSRF, but without definitive results I am not officially reporting them. If it turns out to be exploitable I'll create a new issue.

Thanks,
James