Security is not always an easy thing to manage correctly. Luckily, there are great resources on the web that help you understand how to secure your application against most common web application vulnerabilities. Open Web Application Security Project (OWASP) releases a Top 10 list of most critical vulnerabilities commonly found in web applications. You can use that as a starting point in making your application secure. Some of the vulnerabilities are such, that they can be tackled already on a framework level, while others are bound to your application implementation and deployment environment.

Are Vaadin applications secure?

Vaadin as a framework follows good security practices and provides you with automatic protection against some of the most common vulnerabilities in web applications. Vaadin's architecture promotes a secure programming model, allowing you to concentrate on your business and application logic.

Authentication & Authorization

Vaadin provides you with tools for creating the user interface, but since every application has different authentication and authorization needs, we've decided not to include these features in the framework.

The good news is that this is not a limitation, on the contrary, you are free to choose whichever authentication and authorization framework you want. Some Vaadin application's use JAAS, while other use Spring Security or Apache Shiro. Maybe you want something simpler and create the authentication mechanism yourself or use certificate based authentication. All of this is possible and Vaadin as a company is also happy to help you with this - see our consulting services for more details.

Vaadin Security Webinar

Watch this 1 hour webinar on Vaadin security to get a good overall picture of web security in general and how Vaadin solves the things it does and what you still need to take care of by yourself.

Security Checklist

  • Architecture Vaadin is a server-side framework, where all of your application state, business and UI logic resides on the server. Unlike client driven frameworks, a Vaadin application never exposes its internals to the browser, where vulnerabilities can be leveraged by an attacker.
  • Cross-Site Scripting (XSS) Vaadin has built-in protection against cross-site scripting (xss) attacks. Vaadin converts all data to use HTML entities before the data is rendered in the user's browser.*
  • Cross-Site Request Forgery (CSRF) All requests between the client and the server are included with a user session specific CSRF token. All communication between the server and the client is handled by Vaadin, so you do not need to remember to include the CSRF tokens manually.
  • Web Services All communication in Vaadin goes through one web service used for RPC requests. With Vaadin, you never open up your business logic as web services and thus there are less attack entry points to your Vaadin application.
  • Application state The server is always aware of your application state. Compared to client side applications, this means that the server is aware of what is currently visible on the end-user's screen. Hence Vaadin denies actions to components that are not currently visible on the screen. In practice this means that an attacker cannot fake actions, such as a button click, unless the component receiving the action is actually on the screen and enabled.
  • Data Validation In a Vaadin application, the data validation is always done on the server and thus cannot be by-passed with client-side attacks.**

* You can explicitly allow HTML content in Vaadin components, in which case your application needs to ensure that the data does not contain XSS payloads.
** It is possible with add-ons to use client-side validation to increase the responsiveness of the application when needed.