Architecture
Vaadin is a server-side framework, where all of your application state, business and UI logic resides on the server. Unlike client-driven frameworks, a Vaadin application never exposes its internals to the browser, where an attacker can leverage vulnerabilities.
Cross-Site Request Forgery (CSRF)
All requests between the client and the server are included with a user session specific CSRF token. Vaadin handles all communication between the server and the client, so you do not need to remember to include the CSRF tokens manually.
Cross-Site Scripting (XSS)
Vaadin has built-in protection against cross-site scripting (XSS) attacks. Vaadin converts all data to use HTML entities before the data is rendered in the user's browser.
Web Services
All communication in Vaadin goes through one web service used for RPC requests. With Vaadin, you never open up your business logic as web services, and thus there are fewer attack entry points to your Vaadin application.
Application state
The server is always aware of your application state. Compared to client-side applications, this means that the server is aware of what is visible on the end user's screen. Hence Vaadin denies actions to components that are not currently visible on the screen.
Data Validation
As with other web applications, all data coming from the client should always be validated once it reaches the server. It is not safe to rely on only client-side validation. In a Vaadin application, the data binding API supports data validation on the server, which cannot be by-passed with client-side attacks.
My hat's off to Vaadin for surviving a battery of penetration tests with flying colours today! Kudos to you! They hammered it for XSS and other things but only found programmer oversights or environment issues. No problems directly attributed to Vaadin itself.