Security in Frappe

Does Frappe Framework have security features against these things?

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection
  • Clickjacking
  • Host header validation
1 Like

@anandf

Yes,

Frappé framework received many fixes in the past years for solve these issues.

XSS, control is granular, you can enable or disable it for some fields, if you trust the data.

CSRF is disabled by default, and need to be enabled if needed on Nginx configuration.

SQL injection, is prevented, due the good placeholder usage on the SQL queries, ensuring that all values that come from the user will be casted before send to the database.

Also, python have the PEP-249, that frappe follows, to prevent SQL injection

Clickjacking is prevented due 1 and 2.

I’m not sure about Host header validation

9 Likes

Host header validation is done in nginx. Provided you have a DNS multitenant setup nginx won’t connect to a site unless the host field is right. And you can set nginx up with a default site for any errors.