Lift based web apps have a lot of security baked right in. Lift apps are resistant to many common security vulnerabilities.
Here are Lift's built-in safeguards to combat many of the OWASP Top 10 vulnerabilities:
- A1: Injection - Lift's Mapper and Record do proper escaping of query strings before they are sent to the backing store.
- A2: XSS - Lift keeps the rendered page as a DOM until very late in the page rendering cycle. This allows Lift to automatically HTML escape Strings before they are sent to the browser.
- A3: Session Management - Lift uses the J/EE container's session management, allows for generation of new sessions on login, and keeps passwords hashed at all times with per-row salt.
- A4: Direct Object References - Lift forms do not expose direct object references, but instead keep the object references server-side and issues a session-specific token that refers to the objects.
- A5: CSRF - Lift uses session-specific bindings between HTML elements and the server-side behaviors associated with those elements. The bindings cannot be predicted so it's not possible to issue Cross Site requests that invoke session-specific bindings.
- A8: URL Access - Lift includes SiteMap which provides declarative rules for access to URLs in the application. SiteMap will deny access to URLs unless the criteria is met for accessing the specific URL.
Because Lift apps are more secure by default, developers can focus their development efforts on features rather than writing ad hoc defenses to the OWASP Top 10 and other vulnerabilities.