This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

ESAPI Filters

Revision as of 14:47, 11 December 2008 by Arshan (talk | contribs) (refactored)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Feature Overview

ESAPI currently employs filters to accomplish a number of security features, including authentication and CSRF protection. However, the idea was broached that an ESAPI filter could be established to perform other security functions.

Possible Enhancements


One of the core ideas was introducing a filter that optionally performs virtual patching and other capability typically found in commercial and open source web application firewalls. While the goal of ESAPI wouldn't be to compete directly with any projects dedicated to WAF functionality, it could still perform many important WAF types of functions without a large amount of code introduced.

Customers who have automated penetrate-and-patch operations could optimize their use of ESAPI with this functionality. Although the filter itself would be relatively small, there will need to be a web application to manage its rules that will require more work.

  • See the Session Management section for new, smarter, CSRF capabilities that may be introduced by a filter