Web App Security
From Xojo Documentation
Because web apps are accessible to any number of online users, the security of web apps is paramount. Xojo web apps are serious about security.
Most traditional web development languages are interpreted, meaning your web app is a set of files on a server. If someone gains access to that server, they gain access to your source code. Xojo web apps are compiled to binary code so your source code is not stored on the server.
The Open Web Application Security Project (OWASP) provides information on web app security and posted a list of the top 10 web app security issues. While a few of these issues require the developer to be more diligent, most cannot be used to hack into a web app created with Xojo.
|SQL Injection Attacks||Xojo provides developers with prepared statement support for database access. This takes the values to be used in a query and sends them separately to the database server so that it can determine if the values are valid or contain SQL.|
|Application Authentication||Xojo does not have authentication routines to compromise and session tokens are automatically protected from theft.|
|Insecure Direct Object References||Xojo does not allow direct object references in this manner so it would be impossible for such a security hole to be created.|
|Cross-Site Request Forgery||When the user logs into a web site (such as a banking site) and then leaves by navigating to a page of another site without first logging out, the original site will still see the user is logged in until their session times out. The developer can mitigate this by reducing the timeout from the 60 second default.|
|Security Misconfiguration||This involves the developer making sure they have good passwords for their server, not exposing data that does not need to be exposed, etc. This particular security concern is completely within the control of the developer and is outside the scope of what any development tool can guard against.|
|Insecure Cryptographic Storage||Be sure to use appropriate function in the Crypto library to properly secure your data.|
|Failure to Restrict URL Access||Because Xojo web apps create the HTML page on the fly, there’s no way for a hacker to access any page except the one that is currently in their browser. However, if the developer chooses to support bookmarking, they would need to make sure they authenticate the user before taking the user to the requested page.|
|Insufficient Transport Layer Protection||Web Servers provide SSL support which is the appropriate place to handle this issue.|
|Unvalidated Redirects and Forwards||There is nothing any development tool can do to prevent this. It’s up to the developer to make sure their app doesn't depend on untrusted data when redirecting or forwarding the user to another site. For example, the developer should always use the EncodeURLComponent function to encode any values used in a URL which come from a user or database.|
Go here to read a full description of each of these types of hacks.