Published on

Secure by Design: Server Logic with Power Pages

Authors
  • avatar
    Name
    Calum Harrison
    Twitter

tailwind-nextjs-banner

With AI it's never been more important that systems are Secure by Design.

In fact, Power Pages is the most vulnerable product within the Power Platform as it's externally facing.

One of the ways to make sure that solutions are Secure by Design is to implement Server Logic.

The above has all come about as Microsoft have released a new feature to implement Server Logic. In this article we will address the following:

  • When to use it
  • Why you should use it
  • Use cases

Server Logic vs Client-side?

You have already most likely used both of these methods with the following examples in the Power Platform.

ServerClient
Plugins, workflows and business rulesJS web resources

When an action is performed on the server the code is not available to the end user and they cannot manipulate where as with the Client the browser renders the content.

The golden rule to determine what to use is this, if it needs to be secure then go with Server Logic.

Before Server Logic:

  • JS visible in browser
  • Secrets risk
  • CORS issues
  • Duplicate validation
  • Azure Function workaround

After Server Logic:

  • Code hidden server-side
  • Secure outbound integrations
  • Centralised rules
  • Cleaner architecture

Why you should consider Server Logic

Before this feature, you would either use Power Automate or something more complex like a azure function. Now you can use Vanilla JS to run server logic and access objects to accelerate development.

Power Automate would timeout after a certain period, so with this new feature its makes solutions more resilient and easier to manage by having the code all in one place.

Use cases

In the above example, based on the entered postcode we would query with server logic is the postcode valid and then apply business rules to return whether our services are available within their district.

Another example, would be to verify a pin for security that's generated by Dataverse.

Server Logic isn’t the answer for everything. For standard CRUD operations, Power Pages Web API may still be simpler. Use Server Logic when security, orchestration, secrets, or server side validation matter most.

The views and opinions expressed in this blog are my own and do not reflect the views or opinions of the company I work for.

View on GitHub