Verj.io Applications have a range of features to combat attacks from malicious third parties.
SQL Injection
Database Resources use prepared statements to execute SQL commands. Prepared statements prevent SQL injection attacks by separating data parameters from the structure of the statement. Any SQL provided via a prepared statement parameter is not executed.
In addition to this, Verj.io provides a safe way to dynamically build SQL statements using resource field substitutions.
Cross-Site Scripting
Cross-Site Scripting (XSS) attacks rely on an attacker being able to inject JavaScript into a page via user submitted data or URL parameters.
Field values which have been substituted into Text Controls on a Page are parsed as text rather than HTML. This means that any malicious code passed into a Field and subsequently displayed on a Page won’t be executed.
Content-Security Policy
Verj.io Applications are Content-Security Policy (CSP) compliant.
CSP allows browsers to mitigate against XSS and other forms of attack such as Click Jacking by only executing scripts (and style) from trusted sources. Inline JavaScript and CSS will not be executed as the browser cannot definitively establish where they come from. This effectively removes the ability of external parties to attack the web page.
See here for more information about Content Security Policies in general, and here for more information about how configure them in your Verj.io Application.
Cross-Site Request Forgery
Cross-Site Request Forgery (CSRF) attacks are prevented by a same-site cookie policy.
All Verj.io server-side events are triggered by POST requests and cookies are not accepted in POST requests from other sites. Therefore, no meaningful actions can be performed using a forged request.