Security of web apps

I haven’t used Xojo web yet, and besides creating a few static web pages I am a complete beginner.

I am contemplating creating a web app that will be used to access data in a database both locally and via the Internet , and I do wonder about security.

What should one be aware of, and how do you keep your (users) data safe.

Btw the data in question will be self-hosted (think research groups at University) so Xojo cloud is out.

Any advise is much appreciated.


Hi Markus,

I’ve had a web App with a database attached to it running for several years now and have had no problems. There are several things you can do for security purposes and I’m sure there many more I don’t know about.

How do you envisage this happening ? Could you explain further.

Again, what do you mean here, safe from what ?


I envision a web app as the public interface to a server app that accesses the database (while on the internal network one can access the server app directly).


I am aware of SQL injection and malicious users (eg just been fired and wants to delete everything).

I know the database needs to be encrypted, and I’ll use a salt for saving user data.

Passwords are not saved, just a hash of the access password (how incompetent of Facebook, I have trouble believing that they would simply save their users passwords, especially as similar hacks have happened for many years, for example the Dropbox hack in 2012).

It’s research, so for one thing industrial espionage is a concern.

And then I just learned about CSRF - so don’t assume I know anything.

So my question is; what else does one need to consider?

Hi Markus,

I’m confident you’ll find a way to address the security things you’ve mentioned above once you get into the project, I’m not sure what else you’ll need to consider sorry.

Where is the database going to be located ?

I wouldn’t make the site available to the Internet, but require that all access is via a VPN. The IT dept at the organization will undoubtedly deactivate any dismissed/terminated access thus automatically removing access. The VPN will also be encrypted, but you should also ensure only https access is available.

A side effect of this is that you are offloading the security to the IT department :slight_smile:

If you will be providing an API then you should look to using oAuth to secure the request with a key, signature, nonce & timestamp.