I have created an application which has got different role and each role has got some restriction based on which I am controlling navigation between screens. Application also has service id and contract id based on which content visibility is controlled. However, the application URL reflect these User role, service id and contract id and this can be hacked by replacing these id’s by users. Can someone please help me to resolve this security issue? For eg:
https://personal-zo3vlngh.outsys/........../ContractManagerDashboard?FromDate=2022-07-15&ServiceId=1&ToDate=2022-07-22&UserRole=4
Hi Mohd,
That is indeed a security breach and therefore you should not have this information available in the URL but infer it on the screen based on the user in session.
For instance, you can use the Check<Role> function, to see if the logged in user has a given role.
You can also do a query using the GetUserId() to get only the information the logged in user can see.
You can read these Reactive Security best practices in more detail and more, in this documentation article.
Kind Regards,João Marques
You can also use Crypto API to encrypt and decrypt query string.
https://www.outsystems.com/forge/component-overview/437/cryptoapi
Thanks
Vinod