I was very interested in this question! Looking at this really great post here, there was some documentation I wanted to look at but it's giving me access errors :( hoping to read up on the security package documentation soon!
Depending on how your column is set up, you may have a couple options. If what you're returning is pretty simple, you could embed javascript into the layout editor code view to access the dom of the other columns values you want to check. Another option which is easier to maintain and control, and is closer to what you mentioned is adding a transformation which calls out to an ObjectScript class function. From there you can access the context of whatever data you're pulling and check the values right there, and return whatever you want in your column.
Are you trying to change your session timeout setting?
It's the zero point for MUMPS based languages. It shows that way if your session has no timeout. From James Poitras on why:
"When I decided on specifications for the date routine, I remembered reading of the oldest (one of the oldest?) U.S. citizen, a Civil War veteran, who was 121 years old at the time. Since I wanted to be able to represent dates in a Julian-type form so that age could be easily calculated and to be able to represent any birth date in the numeric range selected, I decided that a starting date in the early 1840s would be ‘safe.’ Since my algorithm worked most logically when every fourth year was a leap year, the first year was taken as 1841. The zero point was then December 31, 1840."
Wow! Very clean and dynamic.
Checking for the existence of a custom header, as I mentioned, is a good baseline because a browser cannot be coerced into setting one in these requests. But you're right that this isn't the OWASP recommendation, because it isn't proactive like the token method and is restricted to rest calls. The example I have is definitely not comprehensive, but due to the lack of support for these vulnerabilities I was wanting to discuss this.
Not technically. CORS exists to prevent certain responses from being read by another origin, and while a CSRF attack comes from another origin, there is a percentage of cases where the origin/referer is not included or is complex to identify correctly (the server is being indirectly accessed via proxy or some type of F5 config). See "Identifying the Target Origin" here which mentions how token based is preferred due to the work required in the long run, and how using origin/referer isn't 100% reliable:
A good CORS policy helps considerably though and I'd say is necessary. Just like how https doesn't directly stop CSRF, but it certainly assists in other areas that help mitigate these vulnerabilities.
I got it working, just needed some dumb troubleshooting and a terminal restart. Cut me some slack! I've never done a code golf before 
I guess mine doesn't support that! Lol 
This is really cool! But the output from this has the integers next to the strings. For example shouldn't:
FizzBuzz90
Instead be:
FizzBuzz
67 bytes raw
f i=1:1:100 w $s(i#15=0:"FizzBuzz",i#3=0:"Fizz",i#5=0:"Buzz",1:i),!
Fantastic! Thank you for looking at the speed, those changes do help. I guess I thought metadata was retrieved on a row basis, but no!
Yes, as much as I'd like to use that method, my queries can get very complicated and it never worked the way I needed it to, and I didn't want to spend the majority of my time working on query syntax. There's a lot of people who write normal queries that I work with as well, who would need to update a ton of sql!
Something to note, if you delete the repo, the pull request will show up as "unknown repository"
.png)
and any history attached to that repo will be lost. Also any references to it will of course be broken. But deleting the branch is encouraged by github and won't break any references. For me, I don't like broken links and references, but of course there's the argument of wanting a clean profile instead of 1000 old forked repos :)
It's serving static files. I like that it's easy to manipulate how the server sends CSP, such as manipulating custom headers or session information right out the gate. But I also have a lot of non-csp resources that are served that I'd like to know more about how the server handles them. Do they go through the CSP logic? How are they served from server to client?
Thank you! You're very quick! 
Are these automated in any way? Wondering if mine is bugged because I've certainly posted questions and comments before but those badges were never unlocked. Their descriptions below say "first" question/comment and I don't know if mine are being detected:
Thanks for the insight, there must be some nuance with this table's integer fields. I linked another table and I can query an integer field with a large number, not just id, and they all have the same property definitions. This must be a problem specifically with the one table, although I wonder why id works fine on another linked table if it's projected through xDBC as integer.
Forgot to mention, that doesn't affect it. Int or string will fail.
I prefer objects as well especially when the amount of optionals are getting too large. I think when you start adding more and more optionals then it's time for a rethinking of what the function is really trying to accomplish.
Have you taken a look at some of the related documentation yet, like this?
https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KE…
Namely this segment as well for obtaining an rpm build, for example:
https://docs.intersystems.com/latest/csp/docbook/DocBook.UI.Page.cls?KE…
Are you wrapping your expression in quotes? This indicates that Matches only accepts strings as the pattern. If that doesn't work I'm really not sure what the issue is, and I would try to pass your values to a custom function where you can examine what's really going on, and see if you can replicate the problem. This is essentially what Jeffrey Drumm was suggesting.
Have you been able to reproduce this in essentially an empty delegated web app? If it works there then we know it's probably just a logic problem with your code.
The next thing I would try for nailing down the culprit is looking at where the 401 is generated. %CSP.Rest on its own contains two functions that output 401 errors, Page and Login. I'm brainstorming now, but if it's coming from Page, I'd think your logic is trying to load something after being logged out (a login page it can't find maybe?), and if it's from Login, that'd be odd to me but probably something in your logic trying to immediately log back in with empty or bad credentials.
If you're able to see those 401 calls being fired in the rest class, try overriding the functions and capturing more information from them to see what's really going on and why they're being called with improper authentication.
Needs some SQL troubleshooting according to a similar question here:
Oops! Sorry I forgot it was for a rule. Also edited for redundancy as I see there's more comments now. Does the visual expression editor give any indication of failure?
I use a similar setup with some projects, albeit not with delegation. But appending the param to my url has never given me 401 messages. What kind of permissions do you have setup for your web app? If you manually insert this param at any point in the app, does it always give 401? Are you still redirected to your login page? Where are you capturing the 401, or is it sent on its own?
What do you mean you're not having luck? For example, what happens when you call on the $match or $locate functions on your field? I can make regex on your three examples without issue for simple strings, like below which works:
$locate("123dsd534","[a-z]")
I've never seen anything like that in the docs before, just working with either regex or the pattern match operator. To get what you're looking for you may very well have to make those extra calls. Alternatively a cool project would be to make your own converter. That'd be pretty interesting to do, but before I'd look into it I'd like to make sure there isn't some function out there I've never heard of in Cache that does it. It never ceases to amaze me how many obscure functions exist out there for Cache that I have yet to discover.
Hey, I think these are still glitched for me. The commenter and question posting badges and also the corresponding challenges are never unlocking for me, after over a week of activity.
Probably. Thank you for your help though!