Security Concerns with PHP SPA built with Wappler

The route URL looks like: domain.com/myRoute
if this page is opened directly without logging in, the Server Connect inside the page has been configured to redirect to login page on error event.

However, the underlying PHP page can still be opened up in browser: domain.com/my_route_page.php
all we can see on this page is just the variables, etc. no data is populated of course - but still this is deemed as a security risk - the page structure is exposed to users not logged in.

Is there a workaround to it so that the *.php route pages are not allowed to be opened directly and just throws a 404?

Please help.

If you want to restrict a complete php page with security provider - add security enforce it it - that is its purpose. That is at least the way in php.

In node you do that with the routing indeed

3 posts were split to a new topic: Security Enforcer option missing on SPA Content Pages

A post was merged into an existing topic: Security Enforcer option missing on SPA Content Pages

The problem with this method (applying security provider enforcer on parent php page) is that on doing a security login + redirection from server action side we always get a 302. Login is never successful.
On removing security enforcer, login is success.

How do you think we can handle this? Or it is something that Wappler must take care of?

To clarify:

Parent page: parent.php (domain.com/parent)
Route: some_page.php (domain.com/parent/somePage)

From a server action we’re doing a security login and redirecting to domain.com/parent/somePage (from server side itself using the ‘Redirection’ step) - in network tab we see a 302 when parent.php has a security enforcer enabled. We’re unable to login at all.

But if we remove the security enforcer from parent.php, we’re able to login using same credentials and this time the route redirects just fine with a 200 (as seen in network tab in dev tools on chrome)

Humble nudge! Any luck with this request?

We are investigating on enabling the security enforcer on content pages.

3 Likes

Hi guys,
I’m very interested in this one for all the reasons you can imagine.
Do you have any indication of the time for when this will be made available?

Many thanks in advance,

Alex

The routing issue when we apply security enforcer on parent page is not resolved with Wappler v3.9.2.
Hope this will be fixed soon as well.

Hi @Patrick,

I hope you’re well. I was wondering if you’ve been able to make any progress with this issue and if there is anything we could do to help.
Many thanks!

Alex

I’ve already made the needed underlying changes within Wappler to allow the security provider code to be added on a content page. It still need some changes in the security provider code itself and the Wappler UI part has to be updated.

1 Like

any luck with this request?

The security enforcer can now be placed on PHP content pages, if there are any issues with the implementation then please open a bug report for that. I will close this topic.