Tightening Security in Safeguard Send for Office 365

As Safeguard Send for Office 365 matures, it’s important to tighten up security as more and more customers begin using it.  As a result, we will be implementing security features in the add-in, and if you use this add-in, some changes will impact you in the next 30 days.  We have implemented the following:

1) We turned off debugging by default.  You can always turn it back on, but previously it was the default to have it on during the early stages of development.  As the add-in gets more use, we no longer need all that information and are defaulting to not having debugging enabled for all users.

2) Although using “https” is the default for the add-in, it was possible to be able to also use the non-secure version if needed (that is, by using just “http”).  Going forward, we now force the use of “https”.

3) In combination with #2, we also force TLS 1.2 (we previously allowed TLS 1.0 and 1.1).

4) Previously, the add-in fetches your rules by calling out to our server and it uses your email address in the URL to get your rules.  We now embed any email address into the body of the fetch instead of being in the URL.  This required a change to both the client side and the server side of the add-in.  Note that because we use https and not plain old http, that the email address was never in danger of being exposed – but some web analyzers can capture the complete URL you are navigating to and as we grow we want to avoid prying eyes wherever possible.

5) We now enforce the use of API-Keys.  This is a “secret handshake” between your browser and our server (this is different than just https encryption).

6) We now perform request validation checks to prevent script attacks.

7) We implemented a new installation URL (https://addins.sperrysoftware365.com) for both better security and greatly improved performance (through the use of a cache known as a CDN).

These last two changes are big because they will be a breaking change – that is, once implemented it will prevent your current version from working unless you upgrade.

The first part of this upgrade took place over the last 30 days.

The next part is up to you, because you have until Wednesday, July 6th to remove and re-add the add-in.  We will of course send out reminders until that time to make sure that no one gets locked out when we finalize the changes on Wednesday, July 6th.

We expect this inconvenience to be a one time event.

To help you, we have refreshed our guide to removing and re-adding the add-in.  You can begin by following our guides to removing the add-in, then adding it back in.