REMINDER
AppDrag Security
-
Where can I find information of the security of websites built with AppDrag (pagebuilder and API functions) when you only use the standard build-in functionality? What are the dos and fonts? What if you start using Javascript jQuery embedded code? What tools do you recommend for testing/verifying the security? What else have I forgot that is important to security? Thanks in advance!
-
Hi Dick,
(Disclaimer, I'm not an AppDrag representative, just a user and fan, but my opinions are my own)
The AppDrag Whitepaper has some good information about their own security.
But, part of the AppDrag's power in allowing you to design and build your own 'back-end' to a site is giving you the flexibility how much (or how little) security you need.
In this sense, it's almost as if you are renting a storefront in a mall. The mall (AppDrag) mops the floors, maintains the public restrooms, manages the parking lot, etc.
But you have to decide what kind of door and what kind of locks you put on or in your store.
AppDrag prevents 'unauthorized' access in the default state. Meaning, nobody can change your website or access your data directly.
However, as soon as you start using their tools to build other ways of accessing the data, the responsibility for security falls under your scope.
For example, if you build an API function to access confidential or private data, you should also build-in tests or checks to ensure that the API caller is authorized to access that information.
This is obviously part of a much larger conversation about application security in general, but I wanted to get the ball started by defining and distinguishing the 'scopes' of your responsibility vs. AppDrag's.
-
Hi Daniel, thanks again for taking the time to help me out and for the white paper. And since I like your analogy of mall and shop, I'm going to use this in my further questions; as I'm new to this mall and also appreciate the importance of security, I would like to ask the mall's CSO (Chief Security Officer) to give me some tips and what to do and what not to do. This in order to avoid common mistakes. Since the chain is as strong as it's weakest link, it's crucial that all the shops in the mall stay safe too and are aware of what to do to protect them as much as possible. And last but not least, trusting the security measures of the mall and it's shops is good, but checking them is better. So I'm to ask the mall's CSO if and how they check the security of their mall and the individual shops in it.
-
An example when inspecting the default error page ...
-
Hey Dick,
It seems the default 404 page is linking to an appdrag logo with HTTP instead of HTTPS, thanks for letting us know we will fix that soon
No one reported it until today because users tends to change the 404 page and put there own logo instead (that will be hosted in HTTPS)For now I just recommend you to change the logo and put your own logo on the 404 page, this will avoid this cross protocol warning
