Please remember this is a work in progress. Home » Classes

Classes

 

TIWSecurityOptions

 

This class controls how IntraWeb handles various aspects of application security. The ServerController creates an instance of TIWSecurityOptions, used internally.

Unit

IWServerControllerBase

Class hierarchy

TPersistent -> TIWSecurityOptions

Methods

Create [Public]

Declaration: constructor Create;

Description: Constructs an instance of the class TIWSecurityOptions and initializes its data.


Assign [Public]

Declaration: procedure Assign(ASource: TPersistent); override;

Description: Copies properties values from another TIWSecurityOptions instance or TPersistent descendant.

Parameters:

  • ASource (TPersistent): [param description]

Properties

CheckSameIP: Boolean; [Published, Read/Write]

When True, IntraWeb will check if all requests addressed to a single session originated from the same IP. If a different IP is detected, the request will be blocked and IntraWeb will respond with an error message. In general you should consider leaving this unchecked (False). Some routers and even ISP can forward two different requests originating from the same origin and addressed to the same target, from two different routes or IPs. You should only set this to True when you are absolutely sure that this won’t affect your users (e.g. Intranets).

CheckSameUA: Boolean; [Published, Read/Write]

When True, IntraWeb will check if all requests addressed to a single session originated from the same browser, i.e. they both have the same user agent string. If a different UA is detected, the request will be blocked and IntraWeb will respond with an error message. In general you should consider leaving this checked (True).

CheckFormId: Boolean; [Published, Read/Write]

When True, IntraWeb will add an additional hidden field (FormId) which is a random 128-bit value. Each form instance has its unique Id (i.e. two instances of the same form class have different id’s). IntraWeb will check this value before rendering (GET) or executing any action/updating any content during a POST request. This prevents several different potential attacks like Cross Site Request Forgery, or CSRF.

RandomTempFileNames: Boolean; [Published, Read/Write]

When True (Default), IntraWeb will generate truly random temp file names. When false, IntraWeb uses a sequential numbered file names.

PreventDoubleSubmission: Boolean; [Published, Read/Write]

When True (Default), IntraWeb will check the contents of POST request and it will prevent double submission, i.e. a successive POST request containing the exact same values will be ignored. Please note that only two consecutive requests can be considered for this analysis. When a double submission is detected, IntraWeb will ignore the content and will just render the page again.

ShowSecurityErrorDetails: Boolean; [Published, Read/Write]

When True (Default), all error messages will contain error details. Please note that sensitive content (like local paths) will never be shown to the end user when IntraWeb detects that the user is using a remote address, regardless of this option.

ForceAjaxPost: Boolean; [Published, Read/Write]

Always use POST for Ajax requests. Fields are transmitted as content not as query string

CorsOrigin: string; [Published, Read/Write]

Used by CORS. Read more about it here

HttpMethods: THttpMethods; [Published, Read/Write]

Specify additional HTTP methods that should be allowed. Possible values are hmPut (PUT), hmHead (HEAD), hmOptions (OPTIONS). GET and POST are required and cannot be disabled through any setting. IntraWeb doesn't allow any other unknown HTTP method.

 

Terms of Use | Privacy Statement © 2002 - 2019 Atozed Software