Security - Wappler Did it?

Wappler General How To
#1

So, is security in Wappler already mostly done for us?

I came across this quote from @George:

Cross Site Scripting

You are in full control of your files and uploads. No scripts are included on the fly, so there is no chance of XSS

SQL Injection

Server Connect and Database Connector/Updater use strict parameters for all their input values, so No SQL Injection is possible. You can also add additional validation rules to all the input parameters to make sure they are what you expect - next to be even more secure it allows you to detect errors more easily.
How secure is Wappler?

And from @Teodor:

The login / secured areas code and protection is secure and you shouldn’t be worried about cross scripting, sql injection and other attack’s

So, is that still accurate?
And, does it mean that when I have any kind of text input at all, I don’t have to do any protection on my own against malicious SQLi or XSS?

If so - VERY COOL. I didn’t realize that. I don’t know how I missed it! :joy:

What type of security do we need to make sure that we do that Wappler doesn’t handle?

1 Like
Summernote Security
#2

Yes :wink:

CSRF. I privately exposed some concerns about it (Jul 9 2022), but I guess it’s a low-priority issue. At the time I’m developing a website and I’m not worried about it, it’s just something to keep in mind

2 Likes
#3

I have also been very curious about the security implications of using Wappler. Thanks for bringing this up.

Any insight the team could provide on this when they’re back and rested would be of great interest.

I’d love to understand more of the concepts behind the scenes related to security and permissions… this level of explanation to start would be very helpful.

I always set up and do tests as part of development, but without understanding how some parts work it is hard to effectively test.

Thank you in advance to anyone willing to share more!

1 Like
#4

D8I8fNUXUAIOdPd
D8I8fNUXUAIOdPd1080Ă—864 100 KB

it never fails :wink:

2 Likes
#5

lol I advise all my clients to make their passwords their children’s names. :stuck_out_tongue_winking_eye: :joy:

2 Likes
#6

No matter what I have developed with over the years, I always consider the inbuild security the web’s equivalent of a locked storm door or window.

One hopes these basic security tools are well tested, but in case they are not… when the data matters, we build our own “inner doors” via layers of security regardless of the system’s security provider. Even using a separate droplet for sensitive data - it’s so cheap and can make a big difference.