Skip to main content
Ex Libris Knowledge Center

Aleph and PDS security best practices

  • Product: Aleph
  • Product Version: 22, 23, 24
  • Relevant for Installation Type: Multi-Tenant Direct, Dedicated-Direct, Local, TotalCare


We care about your security and would like to share some best practices to keep your sensitive data secure.


Install Aleph Service Pack and Third Party Tools

We highly recommend to always apply the latest Aleph Service Pack and Third Party Tools as well as the Operating System and Oracle Patches to close potential security gaps,.

See the latest Release Notes for Aleph Service Packs here

Release Notes - Ex Libris Knowledge Center (


Are you using the Aleph Web OPAC?
Introduce XSS-Validation

/exlibris/aleph/u23_1/alephe/tab/tab100 set XSS-VALIDATION to 'Y': 


See article

Security scans on Aleph 23 server complain about XSS Validation - Ex Libris Knowledge Center (

Avoid uncertified relocate

With the default Apache configuration it is possible to relocate to a different page using option /goto. 
How to avoid this situation see instructions in article  Web OPAC /goto uncertified relocate - Ex Libris Knowledge Center (

Are you Using the Patron Directory Service (PDS) in Aleph?

Check parameter PDS-AWARE in $alephe_tab/tab100


See also article

PDS: Page is vulnerable to OS command injection attacks - Ex Libris Knowledge Center (


Secure PDS

Follow the instructions of sections


  • X-Server Security Patch
  • Securing the PDS_HANDLE Cookie

documented in the Patron Directory Services Guide (


No longer using Aleph Web OPAC / PDS for Aleph
Deactivate PDS on Aleph server

set the relevant line in $alephe_tab/tab100 to PDS-AWARE=N

Turn off the Web OPAC

a. Block the Web OPAC (through firewall) or add a line to the file $alephe_tab/server_ip_allowed

W D *.*.*.*

Explanation from table header

! COL   1.   1; ALPHA{W,P,N}, UPPER; ;
!               Server type;
!               Server type:
!               W = WWW web server
!               X = X-Server (part of WWW web server services)
!               P = PC server
!               N = NCIP server;
! COL   2.   1; ALPHA{A,D}, UPPER; ;
!               Access permission;
!               Access permission:
!               A - Allowed
!               D - Denied;


Note: if you are using a discovery system, add the IP address to file $alephe_tab/server_ip_allowed as follows. In this case please ignore the next sections (b+c).

W A 123.123.456.456 


b. Stop the WWW Server

In case you are using the X-Server for communication with your discovery system (e.g. Primo) the WWW server should not be stopped.

  • Connect to your Aleph server (using ssh)

  • dlib xxx01
  • Util W / 2. Stop Servers / 2.  WWW Server to stop the WWW Server


c. Deactivate the automatic startup of the WWW Server

Remove the following section from $alephe_root/aleph_startup configuration


       if  (! $?WWW_START_HOST) then
            echo "starting www_server...."
            csh -f $aleph_proc/www_server $l_www_server_port $l_httpd_port $l_n_of_servers >& /dev/null &
            echo " "
            foreach thishost ($WWW_START_HOST)
                if  ($thishost == $THIS_HOST) then
                    echo "starting www_server...."
                    csh -f $aleph_proc/www_server $l_www_server_port $l_httpd_port $l_n_of_servers >& /dev/null &
                    echo " "


If you are using Primo and the Aleph Web OPAC

consider turning off the Aleph Web OPAC and PDS as above

If SSO for Aleph and Primo is required: introduce the above measures listed under Secure PDS


If you are using Primo with PDS 

Consider turning off PDS and moving to Primo User Authentication (Aleph 22 and up)


Primo User Authentication - Ex Libris Knowledge Center (

Primo Authentication Manager – With this method, Primo interacts directly with the institution’s authentication server and supports authentication using SAML, CAS, LDAP, Aleph, Alma, and social login via Alma. Customers who want to switch from PDS to this method should contact to Ex Libris Support. For more information, see The Primo Authentication Manager.


  • Article last edited: 07-March-2024
  • Was this article helpful?