Securing Your Joget App - Best Practices for Designing with Security in Mind

When building applications using Joget, it's essential to design with security at the forefront. Ensuring that your app is secure from unauthorized access and potential attacks is vital to protect sensitive data and maintain system integrity. This article outlines best practices to secure your Joget app, focusing on securing the front end (user interface), form data, and server-side security.

1. Prevent Unauthorized Access to Protected Menus (Front-End Security)

Use UI Builder Permissions

One of the most common security issues is unauthorized access to menus. To prevent unauthorized users from accessing protected or important menus, you must properly configure the permissions in the UI Builder

• Limit Menu Access: You can configure permissions for individual UI  menus and/or a set of menus under a UI Category in the UI Builder. Set up permissions so that only authorized users can view or access specific UI menus or UI categories.

References:

• Permission Control

Limit Access to Sensitive Forms Using Permissions

Forms are often critical components of your Joget app. It is important to ensure that unauthorized users cannot manipulate form data or access restricted forms. This can be done by securing the form permissions in the Form Builder.

• Restrict CRUD Operations: Ensure that users have the correct permissions to perform CRUD (Create, Read, Update, Delete) operations on forms. Using Joget’s built-in permission system, restrict which users can edit or view specific forms.
• Protect Form URLs: Users should not be able to manipulate the URLs to access or alter data on forms. For example, URLs such as crudMenu?id=changedValue should be secured to prevent unauthorized access by manipulating the id parameter. This can be achieved by configuring the permissions at the Form Builder to ensure that only authorized users can access or alter said forms.

References:-

• Form Permission Control

Examples:-

• Limiting the access to a form record to the original creator of a form record based on the column "createdBy"
  • In the form used to access existing form record (e.g. Form mapped by CRUD > Edit), edit the form.
  • In the form builder, navigate to Settings > Permission > BeanShell. Place the following code.
    BeanShell Permisson

    return "#form.TABLE_NAME.createdBy#".equals("#currentUser.username#");

2. Prevent Manipulation from End-User Browser (Front-End Security)

Prevent SQL Injection

SQL injection is one of the most common and dangerous attacks in web applications. It occurs when an attacker manipulates an application’s SQL queries, often through input fields, to access or modify the database.

• Use Prepared Statements: To prevent SQL injection, use prepared statements. A prepared statement is a prepared statement is a precompiled SQL Query that can help prevent SQL injection attacks by ensuring that user input is treated as data, not executable code

• Use the SQL escape parameter in Hash Variables: If the query is a hash variable, use the ?sql escape parameter, which ensures the query is handled safely, and the data is processed properly by the server.

  • For example, in List Builder > Data Store > Database SQL Query

    SQL

    SELECT * FROM dir_user WHERE username = '#requestParam.user?sql#'

    
    

3. Securing Form Data at the Database Level (Server-Side Security)

Encrypt Sensitive Data at the Database Level

At the server level, ensure that sensitive data is encrypted before being stored in the database.

• Turn on Data Encryption: To secure sensitive information such as passwords, credit card numbers, and other personal data, enable encryption at the database or storage level. This ensures that even if the database is compromised, the data remains unreadable without the proper decryption key.

References:

• Protect Sensitive Data

4. Additional Security Measures

Use HTTPS for Data in Transit

Configure your app and server to use HTTPS, ensuring that data transmitted between the client’s browser and your server is encrypted and secure.

References:

• Installation Guide

Regularly Update and Patch Your Joget Installation

Keeping your Joget platform up to date is critical for maintaining a secure environment. Joget regularly releases updates to address security vulnerabilities and provide performance improvements. Ensure that you stay up to date with the latest releases and security patches.

References:

• Upgrade Guide For DX 8

Backup Your Data Regularly

Regular data backups are essential for disaster recovery. In the event of a security breach, having a recent backup ensures that you can restore your app’s data to a secure state.

References:

• Backup, Restore and Disaster Recovery

Monitor Logs and Audit Trails

Implement logging and monitoring mechanisms to track access to sensitive areas of your app. Audit trails allow you to track changes made to forms, processes, and user data, helping to detect any unusual or unauthorized activity.

• Form Store Binder Audit Trail Plugin
• Form Data Audit Trail
• Audit Trail

Conclusion

Designing and building a secure app using the Joget involves understanding and addressing security concerns both at the front end and at the back end. By implementing proper permissions for UI elements, protecting forms, preventing SQL injection, and securing data with encryption, you can safeguard your app and its data. Regular updates and proactive monitoring will help keep your app secure against evolving threats, ensuring a robust, safe, and trustworthy experience for all users.