[erlang-questions] Erlang web framework
eigenfunction
emeka_1978@REDACTED
Sun Dec 11 12:03:57 CET 2011
If i understood correctly, you have a clean separation between the
client and the server.
I think this type of application are even more difficult to sercure,
because you have to think
twice before you implement any type of action that might modify
something on the server side.
The Spring framework used to use the argument of scalability of
stateless applications as a selling
point in the java world. But as we all know, stateful applications
scales as well. Apple uses WEbobjects,
some other people use Tapestry, wicket, lift, smalltalk seaside. They
all scale and they have the benefit that that
they are almost secure by default, i mean they are very resistant to
the attacks described by the OWASP.
My problems with them: tomcat, jboss, maven, scala versioning, build
time,jpa,jdo,pojo,hibernate and the list goes on.
I believe erlang has a great potential in this area, since its easy to
buld self contained erlang applications and the otp
is definitly killing it.
> And you can't have SQL injection if you don't use any SQL :)
>
> So Maru won't have to worry about SQL injection... but XSS I'm not sure
> what to do about yet and some other things I'm not sure what to do about
> yet. Besides the obvious things like using SSL for everything so sessions
> can't be stolen and I run through CloudFlare.
>
> I'd love to be able to say security was a major feature of Maru, especially
> since I'm basing my business on this technology, haha, so if you have any
> suggestions from your experience please let me know and any resources links
> would be great -- we can take that off list.
All the links and buttons that can excute an action on the server are
associated
with an identification number which is a combination of server session
id + request number+some automatic
generated guid+some other thing. If you have time, take a look at
seaside. Of course your solution
is completely different, since you are aiming for rich client
javascript. But to be honest with you, i would rather
have my javascript generated automtically. I have written javascript
some years ago and it is fun as long as your application
is not big enough. One day, i forgot to put "var" in front of a
variable name and the app would just always crash, it took me one week
to catch that. I would not touch js again to write anything more than
let's say 300 loc.
More information about the erlang-questions
mailing list