Security shouldn't be an afterthought. That's why Oorian includes comprehensive security features enabled by default, aligned with OWASP guidelines. In this post, we'll explore the security protections built into every Oorian application.
The Philosophy: Secure by Default
Most web frameworks require developers to explicitly enable security features, configure middleware, and remember best practices for every request. This "opt-in" approach leads to vulnerabilities when developers forget or misconfigure protections.
Oorian takes the opposite approach: security is enabled by default. You have to explicitly opt out of protections, not opt in. This means even if you forget to think about security, your application is still protected.
XSS Prevention: Automatic Output Escaping
Cross-Site Scripting (XSS) remains one of the most common web vulnerabilities. Oorian eliminates this entire class of attacks by automatically escaping HTML content:
// User input is automatically escaped
String userInput = "<script>alert('xss')</script>";
Div message = new Div();
message.setText(userInput);
// Renders as: <script>alert('xss')</script>The setText() method on every element escapes HTML entities by default. If you need to render trusted HTML content, you must explicitly call setRawHtml()—a deliberate action that signals "I know this content is safe."
Oorian also provides sanitization utilities for when you need more control:
// Strip all HTML tags
String plainText = Sanitizer.stripTags(htmlContent);
// Allow only specific safe tags
String limited = Sanitizer.allowTags(html, "b", "i", "a");
// Sanitize URLs to prevent javascript: attacks
String safeUrl = Sanitizer.url(userProvidedUrl);CSRF Protection
Cross-Site Request Forgery attacks trick users into performing actions they didn't intend. Oorian's built-in CSRF protection validates every request automatically. No tokens to manage, no middleware to configure—it just works.
The protection works across all communication modes (AJAX, SSE, and WebSocket), ensuring your application is protected regardless of how you've configured page communication.
WebSocket-Specific Security
Oorian's WebSocket-based architecture requires specialized security measures. We've implemented protections specifically designed for real-time communication:
Origin Validation
WebSocket connections validate the Origin header to prevent cross-site WebSocket hijacking. Configure allowed origins at the application level:
// In your Application class
setAllowedOrigins("https://myapp.com", "https://*.myapp.com");Connection Limits
Prevent resource exhaustion by limiting connections per user and per IP:
setMaxConnectionsPerUser(10);
setMaxConnectionsPerIP(50);Message Size Limits
Configurable maximum message sizes prevent memory exhaustion attacks:
setMaxWebSocketMessageSize(1_000_000); // 1MBRate Limiting
Built-in throttling prevents abuse by limiting events per time window:
// 100 requests per minute
setDefaultRateLimit(100, Duration.ofMinutes(1));Security Headers
Oorian automatically sets security headers that protect against common attacks:
- Strict-Transport-Security (HSTS): Forces HTTPS connections
- X-Content-Type-Options: Prevents MIME-type sniffing
- X-Frame-Options: Protects against clickjacking
- X-XSS-Protection: Enables browser XSS filters
- Referrer-Policy: Controls referrer information
- Permissions-Policy: Restricts browser features
Configure headers centrally in your Application class, and every page benefits automatically.
Secure Cookie Defaults
Session cookies are configured with secure attributes by default:
- HttpOnly: Prevents JavaScript access to cookies
- Secure: Cookies only sent over HTTPS (in production)
- SameSite: Prevents CSRF attacks via cookies
Access Control Annotations
Declarative security annotations integrate with Oorian's page architecture:
@Page("/admin/users")
@RequiresAuth
@RequiresRole("ADMIN")
public class UserManagementPage extends HtmlPage
{
// Only authenticated admins can access
}
@Page("/settings")
@RequiresAuth
@RequiresPermission("settings:edit")
public class SettingsPage extends HtmlPage
{
// Fine-grained permission check
}Session Management
Configure session timeouts at the application level with page-specific overrides for sensitive operations:
// Application defaults
setDefaultIdleTimeout(Duration.ofMinutes(30));
setDefaultAbsoluteTimeout(Duration.ofHours(8));
// Override for sensitive pages
@Page("/banking/transfer")
@SessionTimeout(idle = 5, unit = TimeUnit.MINUTES)
public class TransferPage extends HtmlPage { }Input Validation Framework
Annotation-based validation integrates with form handling:
public void onFormSubmit(FormEvent event)
{
ValidationResult result = Validator.validate(event.getParameters())
.field("email").notEmpty().email()
.field("password").notEmpty().minLength(8)
.field("age").range(18, 120)
.check();
if (!result.isValid())
{
showErrors(result.getErrors());
return;
}
// Process valid input
}OWASP Top 10 Coverage
Oorian's security features align with the OWASP Top 10 vulnerabilities:
| A01: Broken Access Control | Page-level security annotations, session management |
| A02: Cryptographic Failures | Secure cookie defaults (HttpOnly, Secure, SameSite) |
| A03: Injection | Auto-escaping output, input sanitization, validation framework |
| A04: Insecure Design | Rate limiting, message size limits, session timeouts |
| A05: Security Misconfiguration | Security headers middleware, secure defaults |
| A07: Auth Failures | CSRF protection, origin validation |
Conclusion
Security shouldn't require constant vigilance from developers. By building comprehensive protections into the framework itself—enabled by default—Oorian ensures that even applications written by developers who aren't security experts are protected against common attacks.
The best security feature is one you don't have to remember to use. With Oorian, you're protected from the start.
For more details, visit the Built-in Security feature page.