OutSystems Security Best Practices: Preventing CSRF, XSS, and SQL Injection

In Service Studio, open any screen in the **Interface tab**. Click **Find** (Ctrl+F) → search for `Escape Content` with value `No`. Review every result. The **Expression** widget's `Escape Content` property defaults to **Yes**, which automatically HTML-encodes output and prevents XSS. Setting it to No is only justified when you are intentionally rendering HTML markup from a trusted source. **When to use Escape Content = No (rarely):** - Rendering sanitized HTML from a CMS that has already stripped dangerous tags - Displaying formatted rich text stored in your database that was sanitized on input **When it is dangerous:** - Displaying any user-supplied text input - Rendering values from external APIs - Showing database content that was not sanitized on write For every Escape Content = No instance, either change it back to Yes or add explicit `EncodeHtml()` wrapping for the unsafe parts.

1/* SAFE: Expression widget with Escape Content = Yes (default) */
2/* No extra code needed — OutSystems escapes automatically */
3Customer.Name  /* Will render as: John & Jane */
4
5/* UNSAFE: Escape Content = No without manual encoding */
6Customer.Name  /* Renders raw HTML — XSS risk if name contains <script> */
7
8/* SAFE: Escape Content = No with manual encoding when HTML is intentional */
9/* Use only when you WANT to render some HTML but encode user content: */
10"<b>" + EncodeHtml(Customer.Name) + "</b>: " + SanitizedHTMLContent
11
12/* Other encoding functions for specific contexts */
13EncodeUrl(UserInput)         /* For URL parameters */
14EncodeJavaScript(UserInput)  /* For values in JavaScript strings */

The most dangerous OutSystems security configuration is **Expand Inline = Yes** on SQL query parameters. It concatenates the value directly into the SQL string, bypassing parameterization and enabling SQL injection. To audit: In Service Studio, use **Ctrl+F** → search for `Expand Inline` with value `Yes` across your entire module. For each instance: 1. Double-click to navigate to the SQL element 2. Review why Expand Inline was used 3. If it's for a dynamic column name or table name — this is a legitimate use case but must use `EncodeSql()` 4. If it's for a value comparison — this is almost certainly wrong and should be parameterized instead TrueChange shows a yellow SQL Injection Warning for Expand Inline = Yes. These warnings MUST be reviewed; they are not safe to ignore.

1/* UNSAFE: String concatenation with Expand Inline = Yes */
2/* SQL Parameter: SearchTerm, Expand Inline = Yes */
3SELECT {Product}.[Name]
4FROM {Product}
5WHERE {Product}.[Name] LIKE '%@SearchTerm%'
6/* If SearchTerm = "'; DROP TABLE Product;--" → SQL injection */
7
8
9/* SAFE: Parameterized (Expand Inline = No, the default) */
10/* SQL Parameter: SearchTerm, Expand Inline = No */
11SELECT {Product}.[Name]
12FROM {Product}
13WHERE {Product}.[Name] LIKE '%' + @SearchTerm + '%'
14/* Value is bound as a parameter — no injection possible */
15
16
17/* LEGITIMATE Expand Inline = Yes use case: dynamic IN clause */
18/* SQL Parameter: IdList, Expand Inline = Yes */
19/* Expression feeding IdList: BuildSafe_InClauseIntegerList(SelectedIds) */
20SELECT {Product}.[Name]
21FROM {Product}
22WHERE {Product}.[Id] IN (@IdList)
23/* BuildSafe_InClauseIntegerList() validates and formats: "1,2,3" — safe */
24
25
26/* LEGITIMATE use with EncodeSql for dynamic text */
27/* Expression feeding DynamicValue: EncodeSql(UserInput) */
28SELECT {Product}.[Name]
29FROM {Product}
30WHERE {Product}.[Name] = '@DynamicValue'
31/* EncodeSql escapes single quotes: O'Brien → O''Brien */

**Traditional Web (O11):** CSRF protection is automatic via the hidden `__OSVSTATE` field embedded in every form. Ensure: - No forms use GET method for state-changing operations - The `__OSVSTATE` field is not stripped by custom HTML or JavaScript - JavaScript-driven AJAX calls include the viewstate token **Reactive Web (O11 and ODC):** CSRF protection works differently — Reactive apps use stateless HTTP calls. Protection is provided via: - **HTTPS**: All communication must be HTTPS (prevents token theft) - **SameSite cookie attribute**: OutSystems sets session cookies with SameSite=Lax by default - **Custom API endpoints**: For exposed REST APIs, implement token validation in the OnAuthentication callback Verify HTTPS is enforced: In Service Center → Factory → Modules → [your module] → check that there is no HTTP fallback. The server-level IIS should redirect HTTP → HTTPS.

1/* For exposed REST APIs — validate request origin in OnAuthentication */
2/* Logic tab → Integrations → [Your REST API] → OnAuthentication */
3
4Start
5→ GetRequestHeader
6     HeaderName = "X-API-Key"
7→ GetAPIKeyRecord  /* Aggregate: filter APIKey.Value = GetRequestHeader.Value */
8→ If GetAPIKeyRecord.List.Empty
9   [True]
10   → Raise Exception
11        Exception = User Exception
12        Message = "Unauthorized: Invalid or missing API key"
13→ End  /* [False] — valid key, request proceeds */
14
15/* For JWT-protected endpoints */
16/* Use JWT Forge component + validate in OnAuthentication */
17/* ValidateJWT action from JWT component */
18Start
19→ GetRequestHeader (HeaderName = "Authorization")
20→ If Index(GetRequestHeader.Value, "Bearer ", 0) <> 0
21   [True] → Raise Exception (Unauthorized)
22→ ValidateJWT
23     Token = Substr(GetRequestHeader.Value, 7, Length(GetRequestHeader.Value))
24→ End

Beyond framework-level protections, implement defense-in-depth with explicit validation: **Server-side input validation** (in Server Actions): - Validate lengths: `Length(Trim(UserInput)) > 0 And Length(UserInput) <= 255` - Validate email format: use Email data type on the entity attribute (auto-validated) - Validate numeric ranges: `Amount >= 0 And Amount <= 1000000` - Reject control characters: use `Replace()` to strip `Chr(0)` through `Chr(31)` from free-text inputs before storing **File upload security** (if using Upload widget): - Validate file extension: `Index(ToLower(FileName), ".exe") = -1 And Index(ToLower(FileName), ".php") = -1` - Validate MIME type via the file header bytes, not just the extension - Store uploaded files as Binary Data in database — never write to the server filesystem - Enforce MaxFileSize on the Upload widget (in bytes: 10485760 = 10MB) **Output encoding**: - Use `EncodeUrl()` for all user-supplied values added to URLs - Use `EncodeJavaScript()` for values injected into JavaScript strings in JavaScript nodes

1/* Input validation expressions — use in If widgets or Server Actions */
2
3/* Validate non-empty trimmed text with max length */
4Length(Trim(UserInput)) > 0 And Length(UserInput) <= 500
5
6/* Validate positive integer in range */
7Quantity > 0 And Quantity <= 9999
8
9/* Validate file extension (allow only PDF and images) */
10Index(ToLower(FileName), ".pdf") >= 0
11Or Index(ToLower(FileName), ".jpg") >= 0
12Or Index(ToLower(FileName), ".png") >= 0
13
14/* Strip dangerous characters from free text */
15Replace(Replace(UserInput, Chr(60), ""), Chr(62), "")  /* Remove < > */
16
17/* URL-encode user values used in links */
18"/products/search?q=" + EncodeUrl(SearchTerm)
19
20/* Safe JavaScript injection */
21/* In JavaScript node: */
22/* var userName = " + EncodeJavaScript(UserName) + "; */

AI Mentor Studio provides automated taint analysis across your entire O11 or ODC codebase — it traces user-supplied data from input points to output/storage points and flags unprotected paths. **To run in O11:** Open your browser → navigate to AI Mentor Studio (your environment URL + `/AIAdvisor`). Click **Infrastructure** → select your module(s) → click **Analyze Now**. In the **Security** category, look for: - **SQL Injection** findings (Expand Inline with user input) - **XSS** findings (Escape Content = No with user input) - **Exposed Secrets** (API keys or passwords in Site Properties with default values visible) - **Insecure Direct Object References** (screens accessible without role checks) For each finding: click the item → Service Studio opens at the exact location. Fix the issue, republish, and re-run the analysis. **ODC:** AI Mentor Studio is integrated into ODC Portal → App Security. It also includes a **1-Click Patch** feature for certain vulnerability types.

OutSystems does not configure all recommended security headers by default. Add these in your IIS or load balancer configuration (O11) or via OutSystems environment settings. **For O11 via Service Center:** Go to Service Center → Factory → Modules → [your module] → Properties. You cannot add headers here — headers must be added at the IIS level. For IIS-level headers (server team task), ensure these are configured: - `Strict-Transport-Security: max-age=31536000; includeSubDomains` (HSTS) - `X-Content-Type-Options: nosniff` - `X-Frame-Options: SAMEORIGIN` (prevents clickjacking) - `Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'` (review OutSystems' inline script requirements) - `Referrer-Policy: strict-origin-when-cross-origin` **Alternative for application-level headers:** Use an OnBeforeResponse callback on an exposed REST API, or use a JavaScript node to set `<meta>` equivalent headers for SPA contexts.

1/* HTTP Security Headers reference for IIS web.config */
2/* Add to system.webServer → httpProtocol → customHeaders */
3
4/*
5<add name="Strict-Transport-Security"
6     value="max-age=31536000; includeSubDomains" />
7<add name="X-Content-Type-Options" value="nosniff" />
8<add name="X-Frame-Options" value="SAMEORIGIN" />
9<add name="Referrer-Policy" value="strict-origin-when-cross-origin" />
10*/
11
12/* OutSystems already sets: */
13/* X-XSS-Protection: 1; mode=block */
14/* Content-Type with correct charset */
15
16/* CSP must be tested carefully — OutSystems uses */
17/* inline scripts and eval() in generated code */
18/* Start with report-only mode: */
19/*
20<add name="Content-Security-Policy-Report-Only"
21     value="default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; report-uri /csp-report" />
22*/