Writing secure apps in webCore

Hi, Excited about the new tool.  Spent a bit of time with it so far.

Not being an expert at web dev, I need to get my head round how to ensure I am doing secure dev, secure session management.  

I have 2 use cases:
- portal for a client to allow their clients to see limited data about their details from a line of business system
- file upload and download, but secure and with usernames and passwords

I have looked at the examples, but thinking about how to partition the code so that the client side is secure.

Any help gratefully accepted.

Typically this is done in the communication between web client & server. A commonly used mechanism is via the use of JWT (JSON Web Token)

A starting reference on how to use the JWT from a TMS XData backend can be found here:

Thanks Bruno.  I have spent months (Years) deciding on how best to render this portal.  From MS VS, to just writing a isapi DLL, to using a front end tool.  I am hoping that TMS Web Core is ideal for the job.  I am not sure about using TMS XData in case making the whole stack proprietary causes an issue for the future.  The world changes and suddenly.......

Just started reading the page - very interesting.  Of course, my main concern is someone being able to inject code browser side and can generate a logged in session etc.  I know I need to add audit and awareness to the back end to notice unusual behavior etc.

Anyway, thanks for the pointer and also in advance for all the questions I am going to ask going forward :-).


From a security perspective, I think that TMS WEB Core is quite equal to technologies such as angular, vue.js, ... and several more SPA model web applications relying on REST service calls for connecting to the server. The good practices advised for angular for example should be applied for TMS WEB Core as well, that is, use HTTPS REST API calls, use JWT for authentication or OAUTH2 for cloud service access. It is on our todolist to create a sample using JWT that connects with TMS XData but a similar setup should be used when connecting to other server technologies such as node.js, Embarcadero RAD server, ASP.NET Core microservices, ...  We'll look to bundle some good articles discussing the best practices for each of these technologies that Delphi developers might most likely use as starting points in the coming weeks.

Thank you Bruno, the less head scratching, where to go next, the more chance I will adopt a solution.  Cheers,