Richard, Just a few thoughts:
This is a topic that is very near and dear to me. I don't have it completely handled yet, but getting close. More and more organizations are running cyber scans and getting very, very picky about things RE: If I understand things correctly, the outside world only has access to static pages in the web folder and everything else goes through On Web Connection and it has to pass through On Web Authentication first. The above is not quite true If you have a "Web" folder, that is published by 4D, and you have a file in that folder: foobar.html Someone from the outside can access it without going through on web connection: http://myweb/foobar.html Many people are recommending a "decoy" web folder, and then putting the real McCoy into another folder (outside of the web folder) that gets accessed programmatically. In our case, I'm loading the contents of the file, running PROCESS 4D TAGS, and then publishing using WEB SEND BLOB. This keeps someone's little mits off of the actual file. But this is not enough in many cases with cyber security depts these days. I'm in the process of building a faux "Web Application Firewall" in 4D, that runs in the ON WEB AUTHENTICATION method. Using a 3rd party like Cloudflare can handle some of these items, e.g. DDOS attacks and some of the Firewall stuff. As well, you can put something like Apache or NGINIX in front of your 4D App, and configure the Web Firewall there. However many cyber security depts want to know that your web app is secure without 3rd party stuff. Currently I'm working on building a "White List" of any possbile URLs to our web app. If it ain't in the White List, it doesn't get past ON WEB AUTHENTICATION. I just have to be careful to make sure that I add any new URLs to the White list. These are just a few items that I'm trying, don't know how the next cyber scan will turn out. 😉 There are many other 4D folks who can chime in here as well. Randy Engle -----Original Message----- From: 4D_Tech <4d_tech-boun...@lists.4d.com> On Behalf Of Richard Wright via 4D_Tech Sent: Thursday, November 21, 2019 1:43 PM To: 4d_tech@lists.4d.com Cc: Richard Wright <rwri...@datadomainsoftware.com> Subject: 4D Web Server Security Anyone care to share their experience and insights as to the security of the 4D Web Server? There’s lots of talk these days about DOS and putting in a DMZ, but what is really necessary in 4D land? If I understand things correctly, the outside world only has access to static pages in the web folder and everything else goes through On Web Connection and it has to pass through On Web Authentication first. ------------------------------------------------ Richard Wright DataDomain rwri...@datadomainsoftware.com <mailto:rwri...@datadomainsoftware.com> ------------------------------------------------ ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com ********************************************************************** ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************