Skip to main content

Developing an Application

 

Applies only to Web Applications
OutSystems

Enforce HTTPS Security

OutSystems provides developers with the ability of deciding at design time the HTTP security used in applications. They can do it by defining which pages and integrations are available over HTTP and HTTPS.

IT Managers or Administrators can override and enforce the HTTP security of applications that are installed and running. They can do it for a whole environment, which affects all applications running there, or application by application.

For an environment, the following can be configured:

Enable HTTP Strict Transport Security (HSTS)
Use it to ensure all screens use HTTPS. When enabled, all HTTP page requests will be redirected to HTTPS. Enabling this option overrides the security definitions of all web flows, web screens and the 'Force HTTPS for screens' application setting for all applications. Note that all screens of Mobile Applications always use HTTPS whether this setting is on or off.
Force HTTPS for screens in Web Applications
Use it to ensure all screens in Web Applications use HTTPS. When enabled, all HTTP page requests will be redirected to HTTPS. Enabling this option overrides the security definitions of all web flows and web screens. Note that all screens of Mobile Applications always use HTTPS whether this setting is on or off.
Force HTTPS for exposed integrations in Web Applications
Use it to ensure all exposed SOAP and REST integrations in Web Applications are only served via HTTPS requests. Enabling this option overrides the security definitions of all exposed integrations for the application modules. Note that all exposed SOAP and REST integrations in Mobile Applications are always served via HTTPS whether this setting is on or off.

For an application, the following can be configured:

Force HTTPS for screens
Use it to ensure all screens use HTTPS. When enabled, all HTTP page requests will be redirected to HTTPS. Enabling this option overrides the security definitions of all web flows and web screens.
Force HTTPS for exposed integrations
Use it to ensure all exposed SOAP and REST integrations are only served via HTTPS requests. Enabling this option overrides the security definitions of all exposed integrations for the application modules.

Any of the above configurations will only work if a valid SSL certificate is installed in the environment.

To configure secure connections for an environment, use LifeTime (the infrastructure management console):

  1. Select the Infrastructure section to see all environments;

  2. Select the Environment Security option of an environment;

  3. Configure the security settings.

To configure secure connections for a single application:

  1. Also in LifeTime, select the Applications section, and then the application;

  2. Select the Security Settings option;

  3. In the drop list, select the environment to which the settings will apply;

  4. Configure the security settings.

If you don’t have LifeTime installed, configure secure connections in each environment using its management console (Service Center):

  1. In the Administration section, select the Security option;

  2. Configure the security settings.

To configure secure connections for a single application:

  1. Select the Factory section and then the application
  2. Select the Security tab;
  3. Configure the security settings.

 




 

  • Was this article helpful?