Gridviewer Security
The intention is to establish a general list of security checkpoints to ensure that pre-production releases of the gridviewer carry minimal vulnerabilities. It is important to remember security is an evolving challenge that really requires constant attention and education.
- Request Parameters:
- Must be escaped; ideal method is using JSTL tags like so: <c:out value="${param.name}" />. The tag defaults to escapeXml="true" by default so the parameter is not necessary.
- Ajax library:
- We are using DWR as our primary AJAX library. The following init parameters should be:
- debug=false
- allowScriptTagRemoting=false
- scriptCompressed=true
- crossDomainSessionSecurity=true
- We are using DWR as our primary AJAX library. The following init parameters should be:
- Session validation:
- To ensure that the prevention of malicious session attacks a server-side secondary check will occur for the session id.
- The primary session attacks are session fixation, cross-site scripting, session side-jacking and session hijacking. [Wikipedia] .
- Response modification:
- We currently are appending a random string to the footer of each JSP response. The following is included in the footer.js
- <!--<%=System.currentTimeMillis() + Math.random()%>-->