Welcome
Topic #1.1.1.1.1.1.
Up To: WebHub App Servers
   Read: Teamwork  
   Read: Save-State  
   Read: UI vs Process  
   Read: A HREF links  
   Read: DB Support  
   Read: ASync  
   >>Security  

to to to to to to Security

Browsing >>Security: WebHub security features

WebHub provides safe, anonymous surfing with server-side save-state.

Known, and avoided, security holes

WebHub does not compromise your security using any of these common techniques:
  • hidden fields on HTML forms (commonly used to save-state)
  • cookies (used to save-state)
  • SQL code that is visible within the web page source (used to put database-driven content into a web page)

WebHub increases security and privacy by:

  • using anonymous Session IDs
  • keeping all surfer data on the server
  • enabling true comments that are never shown to surfers
  • providing the FRONTDOOR feature
  • monitoring sessions for unwarranted changes in IP number and/or browser type
  • enabling secure login and logout
  • enabling automatic logout after a period of inactivity
  • compatibility with HTTPS

Session IDs versus Cookies

Cookies are a well-known security hazard, primarily because they exist in plain text on the surfer's machine. Anyone walking up to the machine can use the cookie.

WebHub tracks surfers with Session IDs instead. Session IDs expire, and a developer can set an inactivity timeout, so that after N minutes, even if another person does sit down at the machine and follow a page, that page will have expired and re-login will be required.

Surfer data is kept on the server machine -- no database vulnerability
Data doesn't travel unnecessarily back and forth via cookies or hidden fields on forms. It is simply saved and restored based on the surfer's Session ID.

There is never any SQL code visible through View|Source of the web pages. The SQL code is kept on the server machine and never sent to the surfer. That means a surfer cannot save your web page, change a few keywords, and break into your database.

For highest performance and highest security, HREF recommends putting the database on a separate machine and connecting to it using a second network card which is not open to the Internet, just to the web server machine.

True comments -- your code is not visible
WebHub has its own comment syntax, enabling you to put in-house comments into your HTML. WebHub comments are stripped out before the HTML goes to the surfer, so your ideas and notes are completely private.

Even if you don't use any WebHub comments, a surfer will not be able to figure out what you did with WebHub macros by viewing your web pages. Surfers can see only the result of all the processing, never the code that caused it.

Frontdoor feature
A single WebHub setting called "frontdoor" helps you make sure that surfers always come in through a "front door" page, regardless of what they may have bookmarked.

Monitoring Sessions
WebHub VCL programmers can adjust internal component settings to further increase security by monitoring each session for changed in IP number and/or browser type. While a change in IP number does not necessarily indicate an attempted break-in (because AOL and other networks pool IPs), if that change occurs in conjunction with a suspicious prior-link, then the application server software can reject the surfer.

The same thing goes for changes in browser type. While it is legitimate to change browsers during testing, it is quite rare for a real surfer to do this, and a programmer can decide to use this event as a security-risk flag.

Secure Login/Logout
WebHub Power HTML and WebHub VCL include a component which lets you set up lists of allowed users, passwords, and pass phrases (hints). Surfers are then required to login before using certain pages, or even parts of pages, within your site. You can set up a security system based on any number of levels of access.

Inactivity Timeout
WeHub v1.50+ includes a macro making it easy to check whether there has been too long of a delay since the surfer last used the application. Let's say the threshhold is 30 minutes. That means that if the browser is idle for 31 minutes and then someone (maybe the legitimate user, maybe not) tries to follow a link, the application would require a second login to confirm the identity of the user.

WebHub supports HTTPS
Many people ask whether WebHub "does HTTPS". HTTPS stands for HyperText Transfer Protocol - the Secure Version. It is the web server software that does the work of encrypting and decrypting web pages to meet the HTTPS standard. WebHub simply works with both HTTP and HTTPS, but it does not provide the functionality.


Running: WebHub-v3.270 compiled with d25_win32 on Microsoft-IIS/10.0,
Thu, 23 Nov 2017 01:35:22 UTC
Session 1460883988, 0 pages sent to CCBot/2.0 (http://commoncrawl.org/faq/) at 54.80.60.91;
Time to produce this page: 16msec.