The current Mendix Best Practice Advisor (BPA) already provides valuable guidance for improving performance, maintainability, and overall application quality. However, the BPA’s security‑related coverage is still relatively limited compared to the depth of analysis provided by third‑party scanning tools such as Menscan.io and MendixHunter.
Both tools detect a broader range of security vulnerabilities — many of which are directly relevant for Mendix development teams. Recently, these gaps have also been highlighted in a Dutch IT Channel article describing the importance of structured Mendix security scanning.
To further strengthen the Mendix Secure-by-Design philosophy and support development teams in building secure applications, it would be highly valuable if the BPA could be extended with additional, deeply technical security checks.
Not always can or will we run these test on our own enviroment, because of possible data leak or shring sensitive information, so it is important that we can use such scan on our own development enviroments
Requested Enhancements:
Please extend the Best Practice Advisor with security checks that cover (including but not limited to):
Access Rule & Entity-Level Security Gaps :
- Entities without access rules
- Access rules granting overly broad permissions
- Missing XPath constraints where needed
Microflow & Nanoflow Security Weaknesses:
- Use of microflows without proper authorization checks
- Insecure use of “Allow all users” settings
- Missing checks on sensitive domain operations
Hardcoded Values & Credential Exposure
- Hardcoded tokens, secrets, or URLs
- Potential leakage of sensitive information in log nodes
API & Integration Security Risks
- Endpoints exposed without proper authentication
- Weak or missing input validation
- Inadequate error handling revealing implementation details
Client-Side Security Issues
- Widgets or pages exposing sensitive data
- Insecure usage of nanoflows for restricted logic
General Secure Development Practices
- Enforcing strong password policies where applicable
- Missing encryption or hashing on sensitive attributes
- Detection of known high‑risk anti‑patterns
- Using vulnerable jar files (from third parties)
Why this matters:
Reduces reliance on external tools for basic security hygiene
Helps developers spot issues earlier in the development lifecycle
Strengthens Mendix’s low‑code security posture for enterprise environments
Aligns with industry expectations highlighted in recent Dutch IT publications