<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>My time with webobjects development taught me that securing web</div>
applications is extremely difficult, <span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">so that when the web-framework can do it automatically, it is a great </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">win for everybody.</span></blockquote>
<div> </div><div>Can't agree more. I really liked with Opa that SQL Injection and XSS were taken care of. Of course, I know it can't be perfect on stopping XSS attacks but its still very nice to have that built in. Like I wrote a little project Opado without caring about security since I was just learning at the time. And of course people tried, as you can see form name examples here <a href="http://opado.org/admin">http://opado.org/admin</a> (takes a bit of time to load), but Opa catches it.</div>
<div><br></div><div>And you can't have SQL injection if you don't use any SQL :)</div><div><br></div><div>So Maru won't have to worry about SQL injection... but XSS I'm not sure what to do about yet and some other things I'm not sure what to do about yet. Besides the obvious things like using SSL for everything so sessions can't be stolen and I run through CloudFlare.</div>
<div><br></div><div>I'd love to be able to say security was a major feature of Maru, especially since I'm basing my business on this technology, haha, so if you have any suggestions from your experience please let me know and any resources links would be great -- we can take that off list.</div>
<div><br></div><div>And I hope Genbu (the apps where the security will be actually implemented for users, sessions, resource control rules, etc) will be able to be used in other frameworks to have a nice core secure and community tested Erlang set of apps for this that can be used by any framework or webserver. Sort of like Apache Shiro.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">But i tried some of the examples and it was not working.</blockquote>
<div><br></div><div>You should definitely give it another shot. Maybe the new version S4 will work easier for you. I found it simple to start with as it just compiles to a single binary that you run, not having to worry with starting any services or installing other dependencies (unless you want distribution, in which case you need HAProxy).</div>
<div><br></div><div>Tristan</div></div>