My understanding is that Vaadin's architecture, partly/mainly because it uses AJAX, may be slightly/signficantly more inherently secure than a typical web project built using say react.js/angular + java-rest based solution. Is this true when it comes to protecting against DOS or DDOS attacks? If not, are there any prebuilt Vaadin components/libraries to protect against such DOS or DDOS attacks? (FYI: I'm on Vaadin 12 and will soon move to Vaadin 14 as soon as it becomes available.)
Asked
Active
Viewed 115 times
1 Answers
3
The reason Vaadin's architecture can be more secure is mostly because it reduces the risk of programming mistakes:
- The framework manages the client-server communication for you. This means that things like CSRF tokens and certain types of input validation is always automatically in use. When you build your own communication logic, there's a risk that you forget or omit certain safeguards.
- All your business logic is running on a trusted server instead of in a browser that can be directly manipulated by an attacker. This means that it's easier to keep business secrets away from prying eyes and it also means that you e.g. don't have to duplicate your validation rules so that they can run both in the browser and on the server.
When it comes to operational concerns such as DOS, the situation is in some cases the opposite. Moving more of the logic and state management to the server also means that it's easier to overload the server. I don't think there are any mitigations specific for Vaadin in this space, but rather the regular solutions such as various forms of rate limiting.
Leif Åstrand
- 7,820
- 13
- 19
-
3I appreciate the succint, clean, and above all, honest answer! – Jonathan Sylvester Jan 25 '19 at 12:26