For a secure GWT application: - *use SSL for the entire app* *- check for SSL vulnerabilities and update your server accordingly * * * - use your app servers session id and send it as payload from server to client during login and then from client to server on each request. On the server check the payload session id if its valid. This protects you against *Cross-Site-Request-Forgery* attacks. - if you need a "remember me for 2 weeks" feature then you have to use your own security token instead of the session id and store it in a database. That way you dont need a 2 week session timeout on your app server which costs server resources. - Protect yourself from *Cross Site Scripting* by using SafeHtml, SafeUri, SafeCss in GWT - Keep *SQL injection* in mind on your server. Don't trust user input on the server! Use prepared statements.
- use a *strong password policy* - use *secure, HttpOnly cookies* if the server needs to store some infos on the client via cookies. - Check for *duplicate cookies* (cookie overwrite attack) - encourage users to use most modern, secure browser. With all the above the only thing that could happen is that an attacker has physical access to the client host (directly or via trojan, key logger, etc.). In that case you can't really do anything against it. Technically there are also SSL men in the middle attacks but to make them work you either need a bug in SSL itself (so update it!) or the attacker needs to modify the browsers trusted CA certificates, issue a certificate for your server domain using the attackers CA and use DNS attacks to modify DNS entries so that your domain points to his server. You cant do anything against it as you are not part of the attack. Have I forget anything? -- J. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/XT5uSwUvUikJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
