OWASP Top 10 — Web Application Security

We went through an audit by an external penetration tester and the results were instructive. OWASP Top 10 is a minimum, not a maximum.

SQL Injection¶

Still number one. In JPA: use parameterized queries. Never JPQL with user input. For native SQL: PreparedStatement, never Statement.

Output encoding — every output to HTML must be escaped. In JSF this is the default (EL expressions). Watch out for h:outputText with escape=false.

CSRF token in every form. JSF has built-in CSRF protection (ViewState). For REST APIs: custom token in an HTTP header.

HTTPS everywhere. Cookie flags: Secure, HttpOnly, SameSite. Session timeout of 30 minutes (15 for banking). Session ID regeneration after login.

Apache reverse proxy adds: X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security.

Every application must go through a security audit. Internal code review is not enough — you need an external penetration test.

owaspsecurityjavaweb

We build core systems and AI agents that keep operations running. 15 years of experience with enterprise IT.

Our experts can help with design, implementation, and operations. From architecture to production.