This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Talk:Grails Secure Code Review Cheat Sheet"

From OWASP
Jump to: navigation, search
(Created page with "* HTML/Javascript/URL Encode stuff as appropriate (see Manico's presentation on encoding properly for the context). * There are lots of built-in model validation constraints a...")
 
(No difference)

Latest revision as of 06:16, 2 January 2013

  • HTML/Javascript/URL Encode stuff as appropriate (see Manico's

presentation on encoding properly for the context).

  • There are lots of built-in model validation constraints available to you

- use them. And not just "it must not be null" or "it must be less than 20 characters", but real format validation.

  • Use useToken on Forms
  • Do all the stuff listed in

http://grails.org/doc/latest/guide/single.html#security - it *really* is pretty good, including XSRF prevention, although I think the "Guessable ID's" section could use some fleshing out (make a map of the objects the user should be able to access, check against that, or don't send PK's at all - send keys into the map).

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Grails_Secure_Code_Review_Cheat_Sheet&oldid=141654"