framework
9 articles with this tag
ASP.NET Core security — production errors, secrets, and authorization
ASP.NET Core is a mature, solid foundation, but incidents come from settings. The big three: (1) exposing detailed errors / the Developer Exception Page in production (internal info leak), (2) secrets hardcoded in appsettings.json (use User Secrets / env vars / Key Vault), (3) missing authorization attributes ([Authorize]). Plus unsafe deserialization (BinaryFormatter, etc.), over-posting in model binding (limit with DTOs/[Bind]), and NuGet dependency CVEs. Defenses: hide detailed errors in prod, load secrets from outside config, make authorization explicit.
Django security — DEBUG, SECRET_KEY, and authorization
Django is 'batteries included' with safe defaults (ORM, CSRF, template auto-escaping, auth) and is solid configured correctly. But incidents come from settings. The big three: (1) DEBUG=True in production exposing settings, env vars, and secrets on the error page, (2) a leaked SECRET_KEY (the basis for signing/sessions), (3) thin authorization (missing is_staff/permission checks). Plus SQLi via raw()/extra() or string interpolation, unsafe deserialization (pickle), unset ALLOWED_HOSTS, and dependency (pip) CVEs. Defenses: DEBUG=False in prod, SECRET_KEY from the environment, explicit authorization.
Express (Node.js) security — the defenses you add yourself
Express is minimalist — it ships almost no security features by default, so the defenses are ones the developer adds. The essentials: (1) security headers (helmet-style), (2) input validation and sanitization, (3) authorization scoped to the owner, not just authentication, (4) rate limiting (brute-force / DoS), (5) dependency (npm) CVE monitoring and fast patching. Plus SSRF protection for outbound URL fetches and secrets kept in env, out of code. The freedom of a minimal framework comes with the responsibility to defend.
Security by framework — defenses specific to the stack you use
Whatever framework you use, the *types* of weakness attackers hit are largely the same (access control, secrets, injection, dependency CVEs, misconfiguration). What differs is each framework's 'dangerous defaults' and 'the spot most often targeted.' This site provides, per framework, the default pitfalls and the hardening steps. Start with the chapter for the stack you actually use.
Laravel security — .env exposure, APP_DEBUG, and authorization
Laravel ships fairly safe defaults, but most incidents come from operations. The big three pitfalls: (1) .env or secret files reachable by URL from the public directory, (2) APP_DEBUG=true in production exposing env vars and connection info on the error page, (3) missing authorization (login = authentication, but no owner-scoped authorization / Mass Assignment overwriting unintended fields). Defenses: secrets outside public at perms 600, debug off + config cache in prod, authorize with Policy/Gate, declare $fillable.
Next.js security — Server Actions, environment variables, and dependency CVEs
Next.js ships fairly safe defaults, but incidents happen at the server/client boundary. The big three: (1) environment-variable exposure (misusing NEXT_PUBLIC_ or passing server-only secrets to the client), (2) missing authorization in Server Actions / Route Handlers (authenticated but no owner scope), and (3) known dependency CVEs (including framework core RCE — judge by the running version and patch fast). Defenses: keep secrets server-only, mind the boundary, authorize in every action, machine-monitor dependency CVEs.
Ruby on Rails security — Strong Parameters, authorization, and gem CVEs
Rails ships conventions and safe defaults (CSRF protection, Strong Parameters, an ORM) and is solid used correctly. But incidents come from operations. The big three: (1) over-permissive Strong Parameters allowing Mass Assignment (overwriting is_admin, etc.), (2) thin authorization (login = authentication, but no owner scope), (3) known gem (dependency) CVEs. Plus SQLi via string interpolation in where, dangerous dynamic methods (send/constantize), and leaked credentials/secret_key_base. Defenses: tighten permit, make authorization explicit, monitor gem CVEs.
Spring Boot security — dependency CVEs, Actuator exposure, and authorization
Spring (Spring Boot) is an enterprise staple. Incident types: (1) known dependency CVEs (a widely-inherited foundation flaw like Log4Shell — judge by the running version and patch fast), (2) exposed management/diagnostic endpoints like Actuator (info leak / operation), (3) missing Spring Security authorization (authenticated but weak permission checks), (4) unsafe deserialization. Defenses: machine-monitor dependency CVEs and patch fast, lock down Actuator/management surfaces, make authorization explicit, don't deserialize untrusted data.
WordPress security — why it's targeted and the minimum defenses
WordPress has the largest share, so it's statistically the biggest target. The entry points are less the core than plugin/theme vulnerabilities, skipped updates, weak/reused admins, and exposed admin surfaces (wp-admin/xmlrpc/REST enumeration). Defenses: automate core+plugin updates, delete unused plugins/themes, strong password + 2FA for admins, limit admin exposure and login attempts, tamper detection plus offline backups.