Gridviewer Security

The intention is to establish a general list of security checkpoints to ensure that pre-production releases of the gridviewer carry minimal vulnerabilities. It is important to remember security is an evolving challenge that really requires constant attention and education.

1. Request Parameters:
   1. Must be escaped; ideal method is using JSTL tags like so: <c:out value="${param.name}" />. The tag defaults to escapeXml="true" by default so the parameter is not necessary.
2. Ajax library:
   1. We are using DWR as our primary AJAX library. The following init parameters should be:
      1. debug=false
      2. allowScriptTagRemoting=false
      3. scriptCompressed=true
      4. crossDomainSessionSecurity=true
3. Session validation:
   1. To ensure that the prevention of malicious session attacks a server-side secondary check will occur for the session id.
   2. The primary session attacks are session fixation, cross-site scripting, session side-jacking and session hijacking. [Wikipedia] .
4. Response modification:
   1. We currently are appending a random string to the footer of each JSP response. The following is included in the footer.js
   2. <!--<%=System.currentTimeMillis() + Math.random()%>-->