aah is a security aware framework. Enterprise-grade features and easy to use.
aah takes security very seriously, you’re welcome to do peer review of aah’s 100% open source code to ensure nobody’s aah application is ever compromised or hacked. As an application developer you’re responsible for any security breaches. I do my best to make sure aah application is as secure as possible.
What aah automatically does?
aah automatically does following safety measures to protect your application from various attacks.
- Secure session data on cookie/file/store, optionaly AES encrypted and HTTP only.
- CSRF prevention for web application, it protects all HTML forms on the page.
- It's recommended to use user Logout with POST request.
- XSS prevention - on Auto parse and bind, view engine and template functions.
- Secure HTTP headers with many safe defaults for Web application and RESTful API service.
- To protect against DDoS attacks caused by large HTTP request bodies by enforcing a hard limit.
- Static file delivery prevents directory traversal vulnerability.
- All errors and traces from application gets logged into log file, not exposed outside on environment profile prod.
Introducing Authentication and Authorization
Powerful security feature yet easy to use with application code base and view files. It is inspired by Apache Shiro security library.
- Cool session management for web applications and stateless for RESTful.
- aah supports ACL, RBAC, ABAC, or custom (name your own). This is the capabilities of aah security design.
- OOTB supported auth schemes are Form Auth, Basic Auth, OAuth2 and Generic Auth.
- Mutliple auth-schemes within application and each can be mapped per route basis.