Vaadin Flow is a server-side framework, where all the application state, business model, and UI logic reside on the server. A Flow application never exposes its internals to the browser where vulnerabilities could be abused by an attacker. This makes the development model inherently secure. Nevertheless, best practices should be followed and common vulnerabilities should be avoided to ensure security.

Security in Flow applications
Gives an introduction to the Vaadin Flow security architecture and how it works in practice.
Best Practices
Describes various best practices for authentication, authorization, managing the application state, validating data, connecting to web services, and enabling SSL and HTTPS.
Common Vulnerabilities
Describes common vulnerabilities such as SQL injections, cross-site request forgeries (CSRF/XSRF), cross-site scripting (XSS), and so forth.
Frequently Reported Issues
Lists issues reported by users as vulnerabilities, which in fact are not.