Awe is a server-side framework, where all of your application state, business and UI logic resides on the server. Unlike client driven frameworks, Awe apps never exposes its internals to the browser where vulnerabilities can be leveraged by an attacker.
Spring Security utilities to manage and configure all safety-related aspects.
Always AWE constantly update dependencies to 3rd part libraries when security patches for them are released. When necessary, a new maintenance version of Awe is created to apply the fix. Furthermore, AWE has a public
SonarCloud server to be audited and constantly adapt to new security flaws. You can check here.
All requests between the client and the server are included with a user session specific CSRF token. Awe handles all communication between the server and the client, so you do not need to remember to include the CSRF tokens manually.
Awe has built-in protection against cross-site scripting (XSS) attacks. Awe converts all data to use HTML entities before the data is rendered in the user's browser.
The filtering is enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected.
Awe lets you choose which authentication and authorization system you want to use, instead of bundling any specific one. Awe is fully compatible with the most used security solutions in the Spring Boot ecosystem like
You can visit this for more info.
Awe provides configuration beans to manage security in your application. You can use them or overwrite and create your custom auth method. The security configuration is in
AWEScreenSecurityAdapter classes and select the authentication method that you want.
You can always create your own Http web security config class extending
Awe always recommend developers to set up secure server endpoints and run all communication exclusively under HTTPS. Awe works out-of-the-box with HTTPS, and there is nothing for the developer to configure in your application code. Please refer to the documentation of your servlet container for details on how to set up HTTPS on your server.
In Awe application, the data binding API supports data validation on the server, which cannot be by-passed with client-side attacks. However, awe has client-side validation action to do a double check and increase the responsiveness of the application, but the developer should be aware that these should be used purely for convenience, since they are easily circumvented in the browser. In addition, the developer is free to use any Java API for validating the data, including connecting to external services. There is also a built-in integration with Java’s Bean Validation (
JSR 303) standard.
Awe is a backend-agnostic UI framework, it doesn’t directly deal with backend access; instead, it uses a backend framework (e.g. Spring Data) to manage this. Awe provides mitigation for SQL injections using techniques like Parameterized Queries with QueryDSL. Internally uses
PreparedStatementand User data sanitization.