Web2py - Security
In the previous chapters, there was complete information on the implementation of web2py with various tools. The major concern for developing web2py applications includes security from a user’s perspective.
The unique features of web2py are as follows −
Users can learn the implementation easily. It requires no installation and dependencies.
It has been stable since the day of launch.
web2py is lightweight and includes libraries for Data Abstraction Layer and template language.
It works with the help of Web Server Gateway Interface, which acts as a communication between web servers and applications.
Open web application security project (OWASP) is a community, which lists down the security breaches of web application.
With respect to OWASP, issues related to web applications and how web2py overcomes them is discussed below.
Cross Side Scripting
It is also known as XSS. It occurs whenever an application takes a user supplied data and sends it to the user’s browser without encoding or validating the content. The attackers execute scripts to inject worms and viruses using cross side scripting.
web2py helps in preventing XSS by preventing all the rendered variables in the View.
Sometimes, applications leak information about internal workings, privacy and configurations. Attackers use this to breach sensitive data, which could lead to serious attacks.
web2py prevents this by ticketing system. It logs all the errors and the ticket is issued to the user whose error is being registered. These errors are only accessible to the administrator.
Account credentials are not often protected. Attackers compromise on passwords, authentication tokens to steal the user’s identities.
web2py provides a mechanism for administrative interface. It also forces to use secure sessions when the client is not “localhost”.
Sometimes applications fail to encrypt the network traffic. It is necessary to manage traffic to protect sensitive communications.
web2py provides SSL enabled certificates to provide encryption of communications. This also helps to maintain sensitive communication.
Restriction in URL Access
Web applications normally protect the sensitive functionality by preventing display of the links and URLs to some users. Attackers can try to breach some sensitive data by manipulating the URL with some information.
In wb2py, a URL maps to the modules and functions rather than the given file. It also includes a mechanism, which specifies which functions are public and which are maintained as private. This helps in resolving the issue.