There are two major segments to creating a "secure" web application. You need to write code to manage user authentication and authorization to assure that you grant access only to the right people. Then you need to make sure that you don't write application code that opens you up to potentially malicious behavior. For the first set of issues, TurboGears provides the Identity framework, which can handle user authentication for you, and provides a very user-friendly API for adding authorization logic into your application. For the second set, TurboGears provides a number of "automatic" mechanisms to help you avoid cross-site scripting and SQL injection attacks. TurboGears is designed around the philosophy that it should feel easy and natural to do the right thing when it comes to writing secure code. Of course, that doesn't mean you can ignore the potential security problems you might face. In this chapter we'll go over the major types of vulnerabilities so you'll be able to avoid them. |