-
-
-
- Security measures
- Security considerations
- Data encryption
- OTP
- Anonymization of personal data
- Using robots.txt
- Field properties concerning security
- Developing user groups securely
- Security considerations for user interface
- Secure file organization
- Securely using the request
- Cross Site Scripting (XSS)
- Scrambling of testdata
- Permission settings
Field properties concerning security
The following page documents the field properties concerning security.
- Field property ‘Public blob (read permisison is ignored)’
This property is available for fields with datatype 'blob' or 'image'. It determines if the blob in this field is only visible for users that heeft read rights for the field, or if it's visible to any user. The default for this property is false. When set to true, the blob is visible to any user. Only do this when you are sure that blobs in this field are meant to be public (eg. images for a website or freely accessible documents). The rule of thumb is: if a search engine is allowed to find and index the file, this property can be set to true. - Field property ‘Apply read permission of foreign class’
This property is available for foreign key fields. It determines if read permission for the foreign class should be applied to the lookup list of this field. There are usecases where a user has no read permission to a foreign class, but still need to be able to select a foreign record. In this case, this property can be set to false. The default is true now, but in the past it was false. If this property is set to false, always be aware of the possible implications. For instance if the foreign class has identifiable names in the label, this could mean a user who can't search for this class, can see a list of all these names through this field. - Field property ‘HTML’
This property is available for keys with datatype 'Text' or 'Memo'. It determines the type of content that's allowed in this field. It is important to note that only trusted developers are allowed to modify this field, as it has many security implications. Read more about these implications in this page about Cross-site Scripting. - Field property ‘Allow javascripts in html’
This property determines if JavaScript is also allowed in a HTML-enabled field. This is only relevant if the content of the field is part of a CMS system. Only enable this property if it is strictly necessary. For security implications of this property, read this page about Cross-site Scripting. - Field property ‘Data encryption'
The content of 'Memo', 'Text', 'Blob' or 'Image' fields can be stored encrypted in the database. At the moment this is only possible when the blueprint property 'Use data security' is enabled. This property may be retired in the future. Enabling the 'Data security' property does mean that searching capabilities for this field are greatly diminished. Searching for exact matches is still possible as is searching for null or non null values. Another option is store part of the data to be encrypted in another field (for instance, the last 4 digits of a bank account number), and searching on this field. For instructions on how to encrypt your data see this page: https://studio.crossmarx.nl/page/338/data-encryption - Privacy details
This property can be used to show that this field may contains privacy details. If this is enabled, form acces settings that do not use authentication are unavailable for forms containing any of these fields. This property can be used to determine that a field does not contain any privacy details. - Field property ‘Anonymization type’
The content of field can be anonymized. This can be required for privacy-sensitive data in case the records can't be removed, but the content of the field is no longer relevant. The options are: remove value, replace value with constant value or scramble value.
See https://studio.crossmarx.nl/page/1112/anonymization-of-personal-data