The User Credentials – Are they transmitted through plain text or in encrypted form?

From a user’s browser to the server, the password is sent in plaintext but is encrypted over HTTPS via the POST method, which is standard practice. But from server to database, it is not transmitted/stored in plain text.

We strongly recommend to integrate the EPC Application with the User and Access Management of the Clients. Once this is done, there is no need for creating Users in the EPC Application.


Will a System Administrator be able to over-ride any DENY permissions set for him on the EPC Application?

Yes, they override all permissions.


Can an adversary fingerprint the webserver from the http responses?

The HTTP Response does not contain the version details of the server and the X-Powered-By header is removed. We have made some changes since v12.1 in this regard too. Now, it is more securer than ever to use the EPC Application.