Hej everyone! After a short but interesting discussion<http://clojure-log.n01se.net/#14:27> on #clojure I'd like to pose some security related questions to a larger audience. This is mostly about user-facing web applications.
First some short background: In the main web framework I use, Yesod, there is a clear and concise list <http://www.yesodweb.com/page/about> (scroll down to "Type-safe security") of security issues already handled by the stack. This includes SQL injections, escaping of user input against XSS, CSRF form attacks and such. These aspects are also often mentioned in related tutorials and discussed in the community. Some googling about another well-known web framework, Rails, brought up this page <http://guides.rubyonrails.org/security.html> with lots of info about securing Rails applications. Now the main question: Where is this info for Clojure's web stack and, assuming there is no collection of info, what do *you* specifically know about security in Clojure? I'm looking to collect information on such matters as * How and where do we prevent SQL injections? In a stack of Hiccup < Compojure < Ring < Korma < JDBC < Postgres-driver - which (if any) of these components ensures safety against injections? Is there documentation? * How and where do we prevent XSS attacks? Do we have templating engines that escape things unless told otherwise, or - if not - do these features exist in the form of a helper function? If yes, where? (And so on...) * *Where are these things being discussed* in the Clojure community? Googling things like "Clojure web security" brings up almost nothing. Ideally everybody who knows answers to these points or to points not mentioned by me (go for example through the two sites I linked!) should post what they know with the ultimate goal to create something like the Rails site about our web stack in general, so that future generations don't have to go through the same information hunt. I'm willing to structure the info and write it together if we can collect it, so *go*! (Note that I have also posted this on Reddit<http://www.reddit.com/r/Clojure/comments/1lj3b2/compiling_clojure_security_knowledge/> ) -- -- You received this message because you are subscribed to the Google Groups "Clojure" group. To post to this group, send email to [email protected] Note that posts from new members are moderated - please be patient with your first post. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/clojure?hl=en --- You received this message because you are subscribed to the Google Groups "Clojure" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
