Security

build uncompromised security into your application

aah is a security aware framework and its easy to use. It was inspired by Apache Shiro security library.

aah takes security very seriously, you’re welcome to do peer review of aah’s 100% open source code to ensure nobody’s aah application is ever compromised or hacked. As an application developer you’re responsible for any security breaches. I do my best to make sure aah application is as secure as possible.

What aah automatically does?

aah automatically does following safety measures to protect your application from various attacks.

  •  Secure session data on cookie/file/store, optionaly AES encrypted and HTTP only.
  •  CSRF prevention for web application, it protects all HTML forms on the page.
    •  It's recommended to use user Logout with POST request.
  •  XSS prevention - on Auto parse and bind, view engine and template functions.
  •  Secure HTTP headers with many safe defaults for Web application and RESTful API service.
  •  To protect against DDoS attacks caused by large HTTP request bodies by enforcing a hard limit.
  •  Static file delivery prevents directory traversal vulnerability.
  •  All errors and traces from application gets logged into log file, not exposed outside on environment profile prod.

Introducing Authentication and Authorization

Powerful security feature yet easy to use with application code base and view files.

  •  Cool session management for web applications and stateless for RESTful.
  •  You can implement Role based or Permission based or Role and Permissions based
  •  OOTB supported auth schemes are Form Auth, Basic Auth and Generic Auth.
  •  Mutliple auth-schemes within application and each can be mapped per route basis.