Handling of Confidential Data

Oxygen XML Web Author is a web application that only has an on-premise distribution.

Inbound Network Access

By default, Oxygen XML Web Author accepts connections from web browsers using HTTPS and HTTP. The HTTP support can be disabled once a valid certificate is configured.

Outbound Network Access

Oxygen XML Web Author needs to connect to the following servers:

The license server (for distributions that come with a license server embedded, this connection uses HTTPS by default).
The file server using one of the supported connectors (e.g. Git, WebDAV, Perforce). Depending on the file server and how the connector is configured, this communication is done over HTTPS, HTTP, or using a proprietary protocol (for Perforce).

Also, Oxygen XML Web Author supports being configured with an HTTP(s) proxy server, which helps to better control the traffic it generates.

Data Storage

The files edited in Oxygen XML Web Author are stored in the server memory while the user edits them.

Web Author has a mechanism to store some editing sessions as files on the server disk to reduce memory consumption. The risk of having these files on disk is mitigated by several measures:

These files are stored on the disk only encrypted with a key that is stored in the server memory. When the server is stopped, the key is discarded.
The files are deleted when the HTTP session of the user ends, or when a configurable timeout expires.
The mechanism can be disabled using a configuration option.

Web Author comes with a built-in WebDAV server that is used to store sample files to help users during their evaluation. This server should not be used in production.

The Git connector offers enhanced support for GitHub, GitLab, and BitBucket. For the rest of the Git servers, it offers generic support (this generic implementation creates clones of the Git repositories on the server's disk). You can disable this generic support in the administration page.