Talk:Grails Secure Code Review Cheat Sheet

From OWASP
Jump to: navigation, search
  • HTML/Javascript/URL Encode stuff as appropriate (see Manico's

presentation on encoding properly for the context).

  • There are lots of built-in model validation constraints available to you

- use them. And not just "it must not be null" or "it must be less than 20 characters", but real format validation.

  • Use useToken on Forms
  • Do all the stuff listed in

http://grails.org/doc/latest/guide/single.html#security - it *really* is pretty good, including XSRF prevention, although I think the "Guessable ID's" section could use some fleshing out (make a map of the objects the user should be able to access, check against that, or don't send PK's at all - send keys into the map).