Views:

Applies to Product - Power Pages


What’s happening?
Customers are experiencing issues related to security best practices for Microsoft Power Pages, including concerns about outdated libraries, display of software version information, and cacheable HTTPS responses. Additionally, customers are inquiring about the ability to download complete Power Page code for synchronization testing in Visual Studio Code.


Reason:
This raised are related to security vulnerabilities identified during penetration testing conducted by external security firms. These vulnerabilities include low-risk issues that require guidance on how to address them effectively.


Resolution:
Security Best Practices:

  1. Yes, there is a Microsoft blog available for security best practices of Microsoft Power Pages. Customers can find more information on Power Pages security at the following links:
Downloading Power Page Code:
  1. It is possible to download the complete Power Page code and open it in Visual Studio Code for synchronization testing. Here are the general steps:
    1. Install Visual Studio Code: Ensure you have Visual Studio Code installed on your machine.
    2. Install Power Platform Tools: Go to the Extensions tab in Visual Studio Code, search for "Power Platform Tools," and install the extension.
    3. Authenticate Your Environment: Use the Power Platform CLI to authenticate against your Microsoft Dataverse environment.
    4. Download Website Content: Use the CLI command to download the website content to your local machine.
  2. For more details, refer to the documentation Use the Visual Studio Code extension | Microsoft Learn
Addressing Security Issues:
  1. Customers should be aware that penetration tests can have legal repercussions from Microsoft. It is recommended to contact the Microsoft Security Response Center (MSRC) team for any security vulnerability reports.
  2. If customers can provide step-by-step replication steps for any identified vulnerabilities, they should create a security case with the specialized team for further evaluation.