Security Frequently Asked Questions


What does DA provide for network level security?

We are pretty sure that Indy does have areas that are open to attacks; for example, its HTTP server uses standard "Readline" logic to read headers. If you're concerned about about these kinds of things, we recommend using RO/.NET and our Internet Pack based channel (IP). Not only has it proven to be much faster than Indy HTTP Servers in our recent tests, but IP was designed from the ground up to be secure on levels beyond those of Indy.

On the Delphi side, if low level security is a concern, we suggest going with the Indy TCP Server or the Super Channel; at least on the levels we control, these should be proven against the kinds of malicious attacks (although again we cannot comment on the lower level of Indy, as we did not perform a thorough review in that regard).

At your own code level, there are a couple of things that come to mind to look out for. Use a proper login, ideally with one of the DA4 templates that provide the login already. Set a limit for sessions, to avoid users creating thousands or millions of sessions. Validate all data passed into custom methods; don't make any assumptions about data and parameters received from clients.

Most of all, do not assume clients are your own; i.e. never rely in a check on your client application or assume you know your client will always send a right value for a particular parameter - an attacker might write their own client and send different data.

Also, once your server goes production (and assuming you won't have third parties write their own clients), disable the SendRodl and SendInfoPage properties on your server, making it harder for an attacker to learn the structure of your RO service.