Versions Compared

Old Version 2

changes.mady.by.user Aadrian Zarin

Saved on

compared with

New Version Current

changes.mady.by.user Hugo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

When building applications using Joget, it's essential to design with security at the forefront. Ensuring that your app is secure from unauthorized access and potential attacks is vital to protect sensitive data and maintain system integrity. This article outlines best practices to secure your Joget app, focusing on securing the front end (user interface), form data, and server-side security.

1. Prevent Unauthorized Access to Protected Menus (Front-End Security)

Use UI Builder Permissions

One of the most common security issues is unauthorized access to menus. To prevent unauthorized users from accessing protected or important menus, you must properly configure the permissions in the UI Builder

  • Limit Menu Access: You can configure permissions for individual UI  menus and/or a set of menus under a UI Category in the UI Builder. Set up permissions so that only authorized users can view or access specific UI menus or UI categories.

References:

Limit Access to Sensitive Forms Using Permissions

Forms are often critical components of your Joget app. It is important to ensure that unauthorized users cannot manipulate form data or access restricted forms. This can be done by securing the form permissions in the Form Builder.

  • Restrict CRUD Operations: Ensure that users have the correct permissions to perform CRUD (Create, Read, Update, Delete) operations on forms. Using Joget’s built-in permission system, restrict which users can edit or view specific forms.
  • Protect Form URLs: Users should not be able to manipulate the URLs to access or alter data on forms. For example, URLs such as crudMenu?id=changedValue should be secured to prevent unauthorized access by manipulating the id parameter. This can be achieved by configuring the permissions at the Form Builder to ensure that only authorized users can access or alter said forms.

References:-

Examples:-

  • Limiting the access to a form record to the original creator of a form record based on the column "createdBy"
    • In the form used to access existing form record (e.g. Form mapped by CRUD > Edit), edit the form.
    • In the form builder, navigate to Settings > Permission > BeanShell. Place the following code.
      Code Block
      languagejava
      titleBeanShell Permisson
      linenumberstrue
      return "#form.TABLE_NAME.createdBy#".equals("#currentUser.username#");

2. Prevent Manipulation from End-User Browser (Front-End Security)

Prevent SQL Injection

SQL injection is one of the most common and dangerous attacks in web applications. It occurs when an attacker manipulates an application’s SQL queries, often through input fields, to access or modify the database.

  • Use Prepared Statements: To prevent SQL injection, use prepared statements. A prepared statement is a prepared statement is a precompiled SQL Query that can help prevent SQL injection attacks by ensuring that user input is treated as data, not executable code

  • Use the SQL escape parameter in Hash Variables: If the query is a hash variable, use the ?sql escape parameter, which ensures the query is handled safely, and the data is processed properly by the server.

    • For example, in List Builder > Data Store > Database SQL Query

      Code Block
      languagesql
      titleSQL
      linenumberstrue
      SELECT * FROM dir_user WHERE username = '#requestParam.user?sql#'


3. Securing Form Data at the Database Level (Server-Side Security)

Encrypt Sensitive Data at the Database Level

At the server level, ensure that sensitive data is encrypted before being stored in the database.

  • Turn on Data Encryption: To secure sensitive information such as passwords, credit card numbers, and other personal data, enable encryption at the database or storage level. This ensures that even if the database is compromised, the data remains unreadable without the proper decryption key.

References:

4. Additional Security Measures

Use HTTPS for Data in Transit

In addition to encrypting data at rest, you should also ensure that data is encrypted while in transit. 

...

Configure your app and server to use HTTPS, ensuring that data transmitted between the client’s browser and your server is encrypted and secure.

...

References:

...

Regularly Update and Patch Your Joget Installation

Keeping your Joget platform up to date is critical for maintaining a secure environment. Joget regularly releases updates to address security vulnerabilities and provide performance improvements. Ensure that you stay up to date with the latest releases and security patches.

References:

Backup Your Data Regularly

Regular data backups are essential for disaster recovery. In the event of a security breach, having a recent backup ensures that you can restore your app’s data to a secure state.

References:

Monitor Logs and Audit Trails

Implement logging and monitoring mechanisms to track access to sensitive areas of your app. Audit trails allow you to track changes made to forms, workflowsprocesses, and user data, helping to detect any unusual or unauthorized activity.

...

Conclusion

Designing and building a secure app using the Joget involves understanding and addressing security concerns both at the front end and at the back end. By implementing proper permissions for UI elements, protecting forms, preventing SQL injection, and securing data with encryption, you can safeguard your app and its data. Regular updates and proactive monitoring will help keep your app secure against evolving threats, ensuring a robust, safe, and trustworthy experience for all users.