-
Notifications
You must be signed in to change notification settings - Fork 71
Security Features
Unlike some low level frameworks Seaside offers built in protection against many common web application vulnerabilities.
This is how Seaside protects you against common attacks against your web application.
Further information:
Not possible because client supplied session ids are ignored when no matching session is found. Review the implementors of #noHandlerFoundForKey:in:context:
.
The Seaside templating engine—the render canvas—escapes all output by default. It therefore adopts a safe by default policy. Special effort has to be taken to render values without escaping. Such places can easily be found and audited by looking at all the senders of #html:.
Further information:
- http://www.owasp.org/index.php/XSS
- http://en.wikipedia.org/wiki/Cross-site_scripting
- http://wonko.com/post/html-escaping
Seaside uses a capability based security model where only handles to actions are handed to the client. These handles are bound to a state snapshot (continuation) which is identified by a random number which acts like a CSRF token.
Further information:
HTTP response splitting is an attack that allows an attacker to control response headers and the body by injecting a header with a CR or LF value. Seaside does not allow CR or LF values in headers which are also not allowed by HTTP.
Further information:
- http://www.owasp.org/index.php/Response_Splitting
- http://en.wikipedia.org/wiki/HTTP_response_splitting
- http://nealpoole.com/blog/2011/01/http-response-splitting-on-reddit-com/
Further information:
In addition to the protections against the attacks above Seaside offers the following security related features.
- hash collisions
- request headers (body size)
Boolean readFrom:
Changelogs
- (newer changelogs, see https://github.com/SeasideSt/Seaside/releases)
- 3.4.0
- 3.3.0
- 3.2.4
- 3.2.2
- 3.2.1
- 3.2.0
- 3.1.3
- 3.1.2
- 3.1.1
- 3.1.0
- 3.0.11
- 3.0.9
- 3.0.8
- 3.0.7
- 3.0.6
- 3.0.5
- 3.0.4
- 3.0.3
- 3.0.2
- 2.8
- 2.7
- Past Releases
Development
Documentation
- Configuration and Preferences
- Embedding Subcomponents
- Maintaining State
- Generating HTML
- CSS and Javascript
- Debugging Seaside Applications
- Links, Forms and Callbacks
- Development Tools
- Call and Answer
- Naming URLs
- Security Features
- Securing Seaside Applications
- Seaside-REST
- Add-On Libraries
- Persistence
- Gettext
- FileLibrary
- The Render Tree
- PDF Generation
- Long-Term Issues
- Ajaxification
- Web Components
- Big Issues
Sprints