I’m also wanted to understand a bit about the security features provided by Wappler itself, like:
Industry Standards:
Does Wappler follow recognised security standards like OWASP Top 10, CWE Top 25, or the NIST Cybersecurity Framework?
Code Security:
Steps to ensure that the code is secure and follows best practices, ex: dmx libs?,are tools like semgrep, etc used in the release process
@patrick @George, could you please provide some insight on this?
Wappler doesn't enforce you to use a certain implementation, we try to give you all the tools needed that fits your needs and are following standards as good as possible. It is good to follow the OWASP guidelines and we try to give you all the tools needed for that, if you miss something that is important then just let us know.
There are vulnerabilities that we cannot resolve on our own without breaking standard Wappler code. Whether we can ignore any of these is the question, but it would be ideal if the High severity (red color) are actioned by Wappler team.
Bump.
bump
bump
Have you tried Claude Sonnet IV? It will even help to improve security.
I asked to check one of my API's with this result:
Looking at this API endpoint, I can identify several security concerns:
{{identity}} exists but doesn't validate it through a proper security providerauth/restrict step to ensure the user is actually logged inidentity value could potentially access employee data{{identity}} as the employee_idcompany_id, department_id, manager_id, etc.{ "name": "restrict", "module": "auth", "action": "restrict", "options": { "provider": "your_security_provider_name", "loginUrl": "/login" }}
"meta": { "$_GET": [ { "name": "employee_id", "type": "number", "options": { "rules": { "core:required": {}, "core:number": {} } } } ]}
Would you like me to help implement these security improvements? 