Data security is an important question both for Flexmonster and for our customers. This tutorial clarifies how security is handled when connecting to the databases. Follow the sections:
The first aspect of data security is how the data from the database can be transferred to Flexmonster Pivot. Your back-end application communicates with the database which allows restricting access to the database from outside completely. Flexmonster Data Compressor is embedded into this back-end application and is capable of compressing the data. The compressed response may be available by some URL or saved to the file. In both cases, Flexmonster Pivot requests the data from the back-end application instead of a direct database connection. The flowchart below describes the process:
Due to the same-origin policy, the browser allows only the requests from the same origin. Сross-origin resource sharing (CORS) specification is used for allowing web applications to make cross-domain requests. CORS enabling is not imposed by Flexmonster but rather a browser requirement. Visit enable-cors.org to find out how to setup CORS on different types of servers.
Occasionally our customers are interested whether it is possible to connect to the database directly. This feature is not supported in Flexmonster due to security reasons. Connecting to the database requires login/password. Since Flexmonster is a fully client-side component, the direct connection to the database would require storing login/password in the browser and sending it in an insecure way. To avoid such vulnerability, the connection to the database is made on a server side and the data is compressed via Flexmonster Data Compressor. As an additional perk, the Data Compressor increases data loading speed.
To protect the data it is recommended to restrict any external access to the database. In this case, the access to the database is available exclusively on the local server. This method increases security and protects against external threats:
Our Data Compressor is included in your backend which provides a full control over data access management. It is possible to protect the data according to the business requirements. For example, define different user groups and grant access based on each group permissions. Depending on the role, the user can have access to certain tables or fields.