Online Security

[mredpath]

Hi folks,

Apologies if this question has arisen before - I had a quick search through this forum and couldn't find anything similar, but if anyone knows of a similar thread, please point me toward it.

The application for which I've created my web-based output is itself web-based. Like lots of other web-based applications, its users require a username and password to log in.

I'd like my web-based output to be accessed by clicking a "Help" button that appears in the upper-right of every page in the application.

However, our developers are concerned about the security implications of implenting Flare's output into the application.

We need to be in a situation where the only way in which anyone can access the web-based output is by first logging into the application using a username and password.

In other words, we don't want our users to be able to share links to pages within the web-based output that can then be opened by 3rd parties. Furthermore, we don't want 3rd parties to be able to find pages of the web-based output themselves, and then use those pages to dig further into the application itself.

Does anyone have any experience of the concerns I'm describing? Or reassurance that I can pass on to our developers?

Many thanks in advance for any help you can give.

Best wishes,

Matt

[AmyJoFrance]

I'm wondering if you ever found out anything about this...

I'm currently being asked about this by several people and I'm not sure how to reply. I've read another post that talks about scripts in master files and/or that it's the admin of the web server's responsibility. Some of the people I'm talking to don't really understand these words, and to be honest I have limited knowledge to be able to explain it myself.

If you've found any good resources or topics about this, please share

[Robotman]

Hi Matt,

Caveat: I am not a developer yet I presented a topic around this very idea.

The basic idea is that a token or ID be passed to open a specific HTML5 page (not webhelp output).

At the moment, our software (and help) is installed on a middleware box which means the help is installed locally. When a user log ins and presses F1, our help is displayed in a new tab using CSH. If I close down the software tab and click refresh on the help, the topic is not displayed.

Our devs have not yet implemented it when the help is on the web although I am assured this is possible (and, technologically, it should be possible).

[RamonS]

There are definitely ways, as suggested you can pass a token along. Assuming it being a hosted app, you can also drop the help into a CDN and then restrict access to that by domain. So only the domain where the hosted systems are on can make requests to the CDN, all other requests get rejected.
In all these discussions - and there are many in the forums - I always question the motivation why access to help is to be restricted and made difficult. Rest assured that the help will be copied and distributed. So why go through all this trouble and potentially make it harder for your own customers?

[Robotman]

In all these discussions - and there are many in the forums - I always question the motivation why access to help is to be restricted and made difficult. Rest assured that the help will be copied and distributed. So why go through all this trouble and potentially make it harder for your own customers?

This is something I have questioned those with a higher income than I. Our help is distributed using exes so our competitors already have access to it. All agree but there is a still conservative mindset that needs to be overcome. We will get there and I am making headway - it is just taking a little longer than expected. It's much better to be on the front foot and engaging customers rather than making it difficult.

[RamonS]

The problem with securing help with a user name and password or by passing a token is that it is then tied to some form of authentication service. Adding a link to help from a knowledge base or corporate web site or any other place is off the list. I've worked with knowledge bases and customer portals in the past and the biggest complaint was always about the annoyance of having to sign up first and then log in each time. For many it is much easier to hit the speed dial and call support, which is way more expensive for the company.
If a company has to resort to secrecy for the help file to stay competitive then there are way bigger issues. Keep innovating and delivering value that nobody else can rather than spend engineering hours on securing a help system. The developers better work on new features or fix bugs than do that.