I have noticed some WCEM shops live in the internet with security problems and settings that have a negative impact on the performance of these shops. Also missing SEO settings for title and meta description are often recognized. Most of these problems can be avoided and/or changed easily. The following basic checks should be done before going live:
1. Check: Can the Web Channel Builder (WCB) be reached from the internet?
This should not be the case. Even though WCB requires a logon it is not a good idea to expose it to the world and giving hackers the chance for brute force attacks.
Solution: Adjust the reverse proxy/network settings so that WCB cannot be reached from outside. The same should be the case for the Java AS itself.
2. Check: Are stack traces exposed in the browser window?
Exposing stack traces in the browser window is a good feature for developers during development. In a productive system they can give hackers hints how to attack the site. Stack traces can contain program names, pathes on the server as well as internal server names. WCEM offers the ProjectStage setting to switch between the Development and Production stage. When this is set to Production, no stack traces are displayed.
Solution: Switch the ProjectStage to Production. See below for details how to switch it.
1. Check: Is ProjectStage set to Production?
If not, the shop runs not in a performance optimized manner. There are additional logs, files are not cached and read again and again from the disk, additional checks are performed in the runtime…
You can check the current setting by adding the url parameter “&wec-debug=true” to a WCEM url in the shop. If this has no effect, ProjectStage is set to Production and all is ok. If all views are framed with red dotted borders and view names are displayed there, the setting is wrong and should be changed.
Solution: Switch the ProjectStage to Production. In the generic part of the development and extension guide you find in chapter 5.3.2 the ways to change it (context parameter in web descriptor or JNDI setting over telnet).
1. Check Titel und Meta Description
For search engines, it is important that pages have a meaningfull title and meta description. The default texts WCEM is delivering have to be changed to avoid that e.g. google search result shows all pages as “SAP Web Channel Experience Management” instead of a shop specific text.
- Check in NetWeaver Administrator, that the trace level is set to “warning” or “error”, not to “debug” (Performance).
Please let me know, if there are further important checks. I will incorporate them into this post.