Am 27.11.2013 20:28, schrieb John J:
On 11/27/2013 12:10 PM, Sönke Ludwig wrote:
The vibed.org and
vibenews projects might
be suited as examples - they both use a mix of a few techniques.Thanks for the links. I will run them locally and study the code.
I have a need to expose a sub-set of our sql server database to end
users as a website where each user logs in and views the information
related to them. Hopefully, I can develop that after studying these
examples, especially the first one.
vibenews uses MongoDB instead of an SQL server for storing the messages,
so that's the only part that won't really fit. There is
mysql-native, but I can't
really help with that, as I haven't used it seriously up to now.
I understand vibe.d creates an independent web server that runs by
itself without needing Apache or IIS.
The first question people would ask me is about the security of this
model. Is there anything I should be aware of the security when using
vibe.d?
The low-level security should be relatively good as long as bounds
checking isn't disabled (-nobounds), thanks to D's type system and the
garbage collector. However, even though care has been taken, it surely
hasn't received a comprehensive security audit, so it shouldn't be used
for critical systems without additional measures.
Are there any extra (or less) steps to take with vibe.d for better
security?
One thing I'd recommend is to put the vibe.d application behind an NginX
proxy server. That will basically shield off all low level attacks and
leave more or less only the application level vulnerabilities to deal
with (XSS etc.). There should also be a watchdog script running in the
background that restarts the server, should it ever crash or hang for
some reason. This is more critical than for PHP or CGI because
everything happens in the same process vs. running a separate process
per request.