Security Best Practices

Authentication and Authorization

Vaadin lets you choose which authentication and authorization framework you want to use, instead of bundling any specific one. Vaadin is fully compatible with the most used security solutions in the Java ecosystem, including but not limited to Spring Security, JAAS and Apache Shiro. The Vaadin-Spring addon has helpers for developers to integrate into the security mechanisms of those respective frameworks.

Since Vaadin is a server-side framework, credential processing always happens on the server, away from any possible attack surface. Credentials are never transmitted to the client unless explicitly done so by the developer.

Generally, it is recommended that the developer double-checks user identity and access rights for each call from the client. This can be automated with, for example, Spring Security and view-based authentication using roles. What typically can’t be automated by these frameworks is data-based access rights, such as limiting access to specific entities.

As an example, if the server receives an ID of a User object to be displayed in, for example, a URL request parameter ({}/users/4/edit), then the ID in question can be freely changed by an attacker. The application needs to be aware of this and check if the currently logged-in user has access rights to this entity. This is something that is common to all UI frameworks, and not specific to Vaadin.

Examples for integrating Spring Security can be found in Authentication with Spring Security

Data Validation

In a Vaadin application, the data binding API supports data validation on the server, which cannot be by-passed with client-side attacks. Vaadin components do support client-side validation to increase the responsiveness of the application, but the developer should be aware that these should be used purely for convenience, since they are easily circumvented in the browser.

As with other web applications, all data coming from the client should always be validated once it reaches the server. It is not safe to rely on only client-side validation. Vaadin provides a set of pre-created server side validators for this purpose. In addition, the developer is free to use any Java API for validating the data, including connecting to external services. Vaadin also has a built-in integration with Java’s Bean Validation (JSR 303) standard.

Data coming from a data store (such as a database) and inserted as HTML into DOM elements (for example, setting innerHTML for elements or using HTML mode in component captions) should also be escaped. Please see the chapter for XSS for more information.


By default Endpoint requires the requests to be authenticated. It is recommended to use more strict access control, for example, @RolesAllowed(). Less strict access control, for example, @AnonymousAllowed should be used with caution. More information can be found in Configuring Security


Vaadin always recommend developers to set up secure server endpoints and run all communication exclusively under HTTPS. Vaadin works out-of-the-box with HTTPS, and there is nothing for the developer to configure in your application code. Please refer to the documentation of your servlet container for details on how to set up HTTPS on your server.