<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/> <title>Frepple / Security </title> <link rel='stylesheet' href='../styles.css' type='text/css' /> <!--PageHeaderFmt--> </head> <body> <div id="container"> <div id="menubar"> <div id="logo" align="center"> <br/><img src='../frepple.bmp' alt="frepple" /><br/> <a href='http://www.frepple.com/'> <strong>a Free<br/>Production Planning<br/>Library</strong> </a></div> <div id="menu"> <br/> <h3><a href='../Main/HomePage.html'>Main</a></h3> <h3><a href='../UI/Main.html'>User Manual</a></h3> <h3><a href='../Tutorial/Main.html'>Tutorial</a></h3> <h3><a href='Main.html'>Reference Manual</a></h3> <h3><a href='../Main/FAQ.html'>FAQ</a></h3> <h3><a href='../reference/index.html'>C++ API</a></h3> <br/><div> </div> </div> </div> <div id="content"> <br/> <!--PageText--> <div id='wikitext'> <p><a class='wikilink' href='../Main/HomePage.html'>Main</a> > <span class='wikitrail'><a class='wikilink' href='Main.html'>Reference Manual</a> > <a class='wikilink' href='Developer.html'>Information for developers</a> > <a class='selflink' href='DeveloperSecurity.html'>Security</a></span> </p> <p class='vspace'>When frePPLe is used in a networked multi-user environment, security is very important.<br />The frePPLe C++ code is developed with security in mind. </p> <p class='vspace'>Here are some notes and considerations on this topic: </p> <div class='vspace'></div><ul><li>FrePPLe can validate incoming XML data with an XML-schema. Invalid data will be rejected and an error message is generated.<br />The XML Schema files frepple.xsd and frepple_core.xsd define the valid structures.<br />When integrating frePPLe with other systems it is strongly recommended to validate the incoming XML data against a small and well-controlled subset of the default XML-schema. <div class='vspace'></div></li><li>The python XML processing instruction allows execution of arbitrary python statements with the privilege of the user running the frePPLe executable.<br />While allowing a maximum of flexiblity for configuring and customizing frePPLe, it also creates an open door to access your system. Access to this command should be restricted, and/or frePPLe should be run by a user account with limited privileges. <div class='vspace'></div></li><li>When using Django, its standard web authentication mechanism is relatively weak.<br />In secure environments, consider using HTTPS and plugging in a different authentication mechanism. </li></ul> </div> <!--PageFooterFmt--> <!--HTMLFooter--> </div></div> </body> </html>