Contact Support


Security Hardening for Netsparker Enterprise On-Premises

You can follow this security hardening guide to improve the security of your On-Premises installation.

Updating to the current version

It is strongly recommended that you always run the latest version of Netsparker Enterprise On-Premises.

Invicti Enterprise is available as an On-Demand and On-Premises solution. Netsparker Enterprise On-Premises solution runs on your servers and network, so it is strongly recommended you update the On-Premises manually whenever there is an update.

  • Updating it lets you scan your web application with new security checks and improvements against the latest threats to security. The new version also includes fixes and improvements for the On-Premises solution.
  • When Invicti releases a new version of the On-Premises solution, it pushes this version to all users. It shows you information, saying that, "A new version of Netsparker Enterprise is available. Download the latest version." This information box also includes the release notes.

For further information, see Updating Netsparker Enterprise On-Premises.

Configuring the SSL/TLS Certificate for Netsparker Enterprise Application Server

Unless your Netsparker Enterprise Application Server is configured to use HTTPS, the traffic between the Netsparker Enterprise Agents and Netsparker Enterprise Application Server will be in the cleartext.

  • Netsparker Enterprise requires Transport Layer Security (TLS) for the communication between the Application Server and the Agent(s).
  • The application server in Netsparker Enterprise provides the web interface that enables the efficient administration and automation of scans. This is the application that you see and use via the Netsparker Enterprise UI.
  • The agent is a service application that executes scans and informs the application server of the results.

The following diagram shows the architecture of Netsparker Enterprise.

If you fail to configure HTTPS for the application server, its communication with the agent will be in cleartext. To prevent this scenario for your security, you need to install your website certificate in Microsoft IIS. For further information about installing SSL certificates, see Step-by-Step instructions on Installing SSL Certificate on Microsoft IIS 8, 8.5 and 10.

How to configure the SSL/TLS Certificate for Netsparker Enterprise Application Server
  1. Log in to the Netsparker Enterprise Application Server with an admin account.
  2. From the main menu, select Settings > General.
  3. In the Server Root URL field,replace the protocol with ‘https’.
  4. If you have completed the SSL/TLS configuration before installing any of the Netsparker Enterprise Agents, then complete the following steps because your configuration should already be correct.

If you need to go back and update your Agents, however, do the following:

  • Open Netsparker Enterprise Agent’s config file (default location is C:\Program Files (x86)\Netsparker Enterprise Agent\appsettings.json) and change the apiRootUrl to the new HTTPS link:
  "AgentInfo": {
    "AgentName": "Agent-1",
    "AgentType": "Standard",
    "ApiRootUrl": "http://localhost:80",
    "ApiToken": ""
  • Restart the server on which the agent is installed. In order to accomplish a successful connection between the Agent and the Netsparker Enterprise Application Server, the HTTPS connection should contain no SSL/TLS errors. If you see any certificate errors, as illustrated below, the agent will not be able to connect to the application server due to this SSL/TLS validation error:

You can install an internal trusted certificate on the Netsparker Enterprise Application Server and Netsparker Enterprise Agents. When both servers and visitors have this certificate, everything will work as expected. Please refer to your operating system manuals for more information about how to add a CA certificate as a trusted root authority.

Encrypting connections to the SQL Server

Enabling SSL/TLS encryption increases the security of data transmitted between the SQL Server and Netsparker Enterprise Application Server. This is only necessary if the SQL Server is installed on a different server in a different network.

How to encrypt connections to SQL Server
  1. First, configure an SSL/TLS certificate for your SQL Server instance (see How to enable SSL encryption for an instance of SQL Server by using Microsoft Management Console).
  2. Next, from the main menu, select Settings > Database.
  3. On the Database Settings page, enable the Encrypt Connection checkbox.

Enabling two-factor authentication / Universal 2nd factor authentication (U2F)

You can also enable two-factor authentication. Two-factor Authentication setup doesn’t require an online connection or transmit any kind of data to outside networks.

For further information, see Enabling Two-Factor Authentication.

Setting firewall

Netsparker Enterprise was designed to operate inside a trusted, firewalled internal network. Netsparker Enterprise must be protected by an external firewall. The Windows firewall should be sufficient to protect Netsparker Enterprise.

  • Netsparker automatically encrypts communication between nodes using TLS; however, it is recommended that firewalls are enabled on machines that host Netsparker Enterprise.
  • Please note that by default, the Netsparker Enterprise On-Premises installation process does not configure ports in the Windows firewall; you should do this manually if external access is required.

Restricting access to the server

Netsparker Enterprise's configuration files and log files may contain sensitive information. Therefore, it is highly recommended to restrict physical access to the machine that is running Netsparker Enterprise.

Also, ensure that only authorized and trusted users have access to the Netsparker files in the C:\Program Files (x86)\Netsparker Enterprise Web Application\App_Data.


Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo