Security

Vaadin Flow is a server-side framework, where all the application state, business model, and UI logic reside on the server. A Flow application never exposes its internals to the browser where vulnerabilities could be abused by an attacker. This makes the development model inherently secure. Nevertheless, best practices should be followed and common vulnerabilities should be avoided to ensure security.

Security in Vaadin Applications

Gives an introduction to the Vaadin Flow security architecture and how it works in practice. Further, release and security practices in developing and releasing Vaadin products are described.

Best Practices

Describes various best practices for authentication, authorization, managing the application state, validating data, connecting to web services, and enabling SSL and HTTPS.

Common Vulnerabilities

Describes common vulnerabilities such as SQL injections, cross-site request forgeries (CSRF/XSRF), cross-site scripting (XSS), and so forth.

Frequently Reported Issues

Lists issues reported by users as vulnerabilities, which in fact are not.