APyaX is currently not intended to be suitable for creating highly secure applications.
This section provides some security precautions to take when implementing applications with APyaX.
Keep server scripts secure
Somewhat obvious, but ensure that the server-side python scripts used in an APyaX application cannot be modified, removed or read by clients.
Use encrypted client-server protocols (https)
This is essential if you are going to pass any kind of secure information (for example, passwords) from the client to/from APyaX scripts running on the server. APyaX itself does not provide any kind of encryption mechanism.
Guard against stolen cookies
Use database passwords to verify user identity, and store sensitive information in a password-protected database
Store all sensitive information in a password protected database and do not cache database passwords in an APyaX session object. Design your application so that the user must enter their password when first required, and re-transmit the password to the server each time it is needed to retrieve information.
Expose only essential server-side methods to the client
APyaX performs both generation-time and run-time checks to ensure that only python methods that have a first parameter named apyax may be invoked by the client. Make sure that only methods that are intended to be exposed to be called from the client have a first parameter with this name.
Design exposed server-side methods and business logic robustly
Its important to remember that server side code should not trust the client, the original client code may easily be compromised in order to invoke exposed server-side methods in an unanticipated way and exploit them. In a crude example, it would be more dangerous to expose separate server-side methods:
It would be safer to combine them into one, for example: