Security of web apps

  1. 8 weeks ago

    Markus W

    Mar 28 Pre-Release Testers, Xojo Pro #JeSuisHuman Germany, Heidelb...

    I haven’t used Xojo web yet, and besides creating a few static web pages I am a complete beginner.

    I am contemplating creating a web app that will be used to access data in a database both locally and via the Internet , and I do wonder about security.

    What should one be aware of, and how do you keep your (users) data safe.

    Btw the data in question will be self-hosted (think research groups at University) so Xojo cloud is out.

    Any advise is much appreciated.

    Markus

  2. Barney

    Mar 28 New Zealand

    Hi Markus,

    I've had a web App with a database attached to it running for several years now and have had no problems. There are several things you can do for security purposes and I'm sure there many more I don't know about.

    access data in a database both locally and via the Internet

    How do you envisage this happening ? Could you explain further.

    how do you keep your (users) data safe

    Again, what do you mean here, safe from what ?

    Barney

  3. Markus W

    Mar 28 Pre-Release Testers, Xojo Pro #JeSuisHuman Germany, Heidelb...
    Edited 8 weeks ago

    @BarneyHyde How do you envisage this happening ? Could you explain further.

    I envision a web app as the public interface to a server app that accesses the database (while on the internal network one can access the server app directly).

    Again, what do you mean here, safe from what ?

    Everything.

    I am aware of SQL injection and malicious users (eg just been fired and wants to delete everything).

    I know the database needs to be encrypted, and I’ll use a salt for saving user data.

    Passwords are not saved, just a hash of the access password (how incompetent of Facebook, I have trouble believing that they would simply save their users passwords, especially as similar hacks have happened for many years, for example the Dropbox hack in 2012).

    It’s research, so for one thing industrial espionage is a concern.

    And then I just learned about CSRF - so don’t assume I know anything.

    So my question is; what else does one need to consider?

  4. Barney

    Mar 28 New Zealand

    Hi Markus,

    I'm confident you'll find a way to address the security things you've mentioned above once you get into the project, I'm not sure what else you'll need to consider sorry.

    I envision a web app as the public interface to a server app that accesses the database.

    Where is the database going to be located ?

  5. Wayne G

    Mar 28 Pre-Release Testers, Xojo Pro New Zealand axisdirect.nz

    I wouldn't make the site available to the Internet, but require that all access is via a VPN. The IT dept at the organization will undoubtedly deactivate any dismissed/terminated access thus automatically removing access. The VPN will also be encrypted, but you should also ensure only https access is available.

    A side effect of this is that you are offloading the security to the IT department :)

    If you will be providing an API then you should look to using oAuth to secure the request with a key, signature, nonce & timestamp.

or Sign Up to reply!