Improving this guide
This is sort of a note-to-self, but I can’t put much more time into this guide for now. If you’d like to help out improving this page, here’s some places I think would be good to start (with full credit given of course!)
Changes to the web-server method
jQuery.Ajax()
https://security.stackexchange.com/questions/10825/is-this-jquery-ajax-call-vulnerable-to-xss
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
https://www.codeproject.com/Articles/1121259/How-to-make-secure-AJAX-call
https://stackoverflow.com/questions/37912937/how-to-send-secure-ajax-requests-with-php-and-jquery
https://owasp.org/www-project-top-ten/#tab=OWASP_Top_10_for_2013
https://www.phpcluster.com/5-steps-to-secure-ajax-php-call/
https://stackoverflow.com/questions/409496/prevent-direct-access-to-a-php-include-file
https://api.jquery.com/jquery.ajax/
https://www.jspsych.org/overview/data/#storing-data-permanently-as-a-file
PHP/.htaccess
Control for file size: http://www.mysql-apache-php.com/fileupload-security.htm
https://stackoverflow.com/questions/33999475/prevent-direct-url-access-to-php-file/33999539
https://thisinterestsme.com/prevent-direct-access-php-file/
https://www.liquidweb.com/kb/what-is-umask-and-how-to-use-it-effectively/
https://www.w3schools.com/js/js_json_php.asp
https://www.w3schools.com/php
https://webmasters.stackexchange.com/questions/13658/when-creating-a-website-what-permissions-and-directory-structure
https://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver
https://stackoverflow.com/questions/13421463/htaccess-access-control-allow-origin.
https://stackoverflow.com/questions/37912937/how-to-send-secure-ajax-requests-with-php-and-jquery
https://stackoverflow.com/questions/5004233/jquery-ajax-post-example-with-php
Working with box instead of dropbox (Not working until IT services start authorising apps!)
Whilst the guide at https://kywch.github.io/jsPsych-in-Qualtrics/save-dropbox/ uses dropbox, Sussex is subscribed to Box instead. As with the (outdated) guide for setting up a dropbox app above, to do this we would want to create an app in box. Sussex members can log in and create a new app here. This is a tutorial for setting up a box app which does have mostly the correct settings for our purposes. If you navigate to the bottom of your box account settings, you will see that the admin contact is sgw21@sussex.ac.uk - an address of someone who has currently left the university. Perhaps for this reason (and this issue may have been fixed by now) box apps aren’t being authorised at the moment - I have contacted the IT service desk about this and will update the article when I hear back from them. Useful resources for going down this route will be the Node.js SDK, the JavaScript SDK for box, the qualtrics JavaScript API class, and information on application scopes.
MySQL (not working but a future possibility)
This is the option suggested by the jsPysch website here. The university may have the ability to give us a MySQL space on their server although IT services didn’t reply to my request to get one set up. Security can be tricky here too - you would need to guard against an SQL injection attack, whatever that is.