I am responsible for building web apps and tools for a project. We've decided to build with Web App Builder and have created custom widgets that require the apps to be hosted on premises.
Our clients do not have ArcGIS Server or Portal so we are building them a website through which they can access the web mapping applications that we have created (~6).
So far I have an nice Single Page Application built using Polymer Components with page.js and have created my own components for the image tiles that the user clicks on. When this happens page.js routes to a custom component that contains an iframe with src=the url to the downloaded WebApp Builder application on IIS.
The Web App Builder Application is using the DotNet proxy and resides on the same domain in the same website as the Polymer app.
Does this seem like a secure solution to you? If not, how else could I load the downloaded WAB application into my single page layout?
Am I even going in the right direction?