On Monday, September 2, 2013 8:10:10 PM UTC-6, Nelson Morris wrote: > > > ---- > > Several of Yesod's responses to other items on the list are humorous in > there vagueness, but in my experience for clojure: > > 1.Injection: Done by JDBC's prepared statements, and clojure.jdbc's use > of them > 2. XSS injection: Depends on templating. Hiccup requires explicit `(h > ..)` calls. laser is escape by default. I am unsure about enlive, > clabango, or others. > 3. Authentication & Session Management: I've used friend for > authentication, and bcrypt for encryption. lib-noir has some functions > that use bcrypt, but I've not used it. Session management can be specified > by the :store given to wrap-session, and defaults to a in memory store. A > cookie store also exists that provides some protection against cookie > mutation. Immutant provides a store that can work across a cluster. > 4. Insecure Reference: There is not a standard ORM or similar, so > handling only the correct parameters is up to you. > 5. CSRF: ring-anti-forgery provides a way to add CSRF prevention tokens > 6. Security Misconfiguration: This seems to be the domain of chef, pallet, > puppet, capistrano or another deployment tool. I'm not sure I want my > libraries to mess with deployments. > 7. Insecure Cryptographic Storage: Use bcrypt. See 3. > 8. Failure to Restrict URL access: I've used friend for authorization. > 9. Insufficient Transport Layer Protection: I'd recommend letting your > front end server handle this and redirect to https. I believe lib-noir has > a middleware that will redirect from http to https if needed. Consider > passing `:secure true` to `wrap-cookies` if you have an https only site. > 10. Unvalidated Redirects and Forwards: Url generation is a weakspot in a > compojure based setup. For comparison, pedestal-service wrote its own > routing dsl and stores the routes in a way that allows url generation based > on the context passed in. > > I believe the use of many small libraries is what causes the lack of a > single spot for this documentation. I've picked up most of what I described > above by knowing the authors / what to google / asking + watching irc. > That does seem like an unfortunate situation for anyone new to have to > learn. > > - > Nelson Morris >
Thank you to Nelson for compiling this list. Since it was posted a number of months ago, has anyone recently written or stumbled over a go-to site for security in Clojure web/non-web apps? The clojure-sec group seems to be dead, but let me know if we should take the thread over there. - Christopher Poile -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to clojure@googlegroups.com Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to clojure+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to clojure+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
