Talk:Grails Secure Code Review Cheat Sheet

Revision as of 00:16, 2 January 2013 by Jmanico (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
  • HTML/Javascript/URL Encode stuff as appropriate (see Manico's

presentation on encoding properly for the context).

  • There are lots of built-in model validation constraints available to you

- use them. And not just "it must not be null" or "it must be less than 20 characters", but real format validation.

  • Use useToken on Forms
  • Do all the stuff listed in - it *really* is pretty good, including XSRF prevention, although I think the "Guessable ID's" section could use some fleshing out (make a map of the objects the user should be able to access, check against that, or don't send PK's at all - send keys into the map).