Joget DX 8 Stable Released
The stable release for Joget DX 8 is now available, with a focus on UX and Governance.
Steps |
---|
|
What is SSL?
SSL ( Secure Sockets Layer ) is the standard security technology for establishing an encrypted link between a web server and a browser.
Without SSL
Without the use of SSL between the end client and the server, any data sent between these 2 parties will be susceptible to data sniffing by hackers as the data packets travel from end to end.
Domain Whitelist for API Calls
Advantage
By enabling this option, only servers white listed are able to communicate with the server.
Enabling Multi-Factor Authentication using TOTP is also an added strength to it.
Advantage
By enabling this option, this will increase security of the user's login information.
Without SSL
Without the use of SSL between the end client and the server, login information will be sent in non-encrypted, clear text to the end server.
UI
UI Category
Form
Form Section
Showing the App in App Center only after user is logged on
The most common practice is to list down apps in the App Center only if the user is logged in. To do so, head to the UI Settings of your app, and locate Permission Type and set it to Logged In User.
As a best practice, the UI should be secure by default. You can set the UI permission as a whole to "Logged In User" before further hardening at each and every UI category, including the hidden ones. An unprotected UI allows anonymous users and even robots (i.e googlebots to cache the page) access the UI when the app is set to published.
"Hide From Menu" under UI Category does not mean it is not accessible. It is simply not visible to users.
Read more at Permission Control.
Making changes to the key and salt will render all passwords unusable in an existing server therefore it is only recommended to do during initial server installation.
Import/Export App
In an exported app, any password saved in the application design will be encrypted as well. Hence, when the app is imported into another server, be sure to reconfigure all saved password as servers with different key and salt would render the passwords unusable.
Locate the file customApplicationContext.xml in \apache-tomcat-8.5.14\webapps\jw\WEB-INF\classes and add in line 6-9 as shown below.
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd"> <bean id="dataEncryption" class="org.joget.apps.workflow.security.SecureDataEncryptionImpl"> <property name="salt" value="NEW-VALUE-GOES-HERE"/> <property name="key" value="NEW-VALUE-GOES-HERE"/> </bean> </beans>
Replace line 7 and 8 salt and key value to your own one.