Skip to main content


Protecting OutSystems apps using encryption and SSL/TLS



Protecting OutSystems apps using encryption and SSL/TLS

By using encryption you will safeguard stored, or in transit, sensitive data from being read by third-parties. However, the most common flaw in software is not encrypting sensitive data.

Usually attackers don’t attempt to break the encryption itself, they break something else. Some examples of attack vectors are stealing plain text data, using Man-in-the-Middle (MITM) attacks, or stealing keys.

The following example illustrates how a MITM attack can be used to listen to a communication between two computers and impersonate a legitimate user after stealing his session (green arrows represent secure connections, while red arrows represent plain text connections):


How to do it with OutSystems Platform

The recommended strategy is to encrypt all channels and sensitive data.

In order to do so with OutSystems Platform follow these recommendations for each scenario:

Use case Actions


Secure apps' communications


  • Use HTTP Security SSL in Web Flows and Web Services (Requires SSL certificate).
  • Use only trusted SSL certificates.
  • Use HPKP headers (certificates pinning).

Protect how Cookies are transmitted


  • Enable secure cookies in your applications/server.
  • Enable HSTS headers (forced HTTPS at client side).

 Encrypt data (stored or in transit)

AES-128, AES-256

  • Use CryptoAPI component to encrypt your data.
  • Use a Key Management System or use OutSystems Platform private key.
  • Use OutSystems Platform built-in SHA512 algorithms for hashing.

More information

To learn how to protect your OutSystems apps against other common types of attacks, check how OutSystems Platfom helps you develop secure applications.