Several of Yesod's responses to other items on the list are humorous in there vagueness, but in my experience for clojure:
1.Injection: Done by JDBC's prepared statements, and clojure.jdbc's use of them
2. XSS injection: Depends on templating. Hiccup requires explicit `(h ..)` calls. laser is escape by default. I am unsure about enlive, clabango, or others.
3. Authentication & Session Management: I've used friend for authentication, and bcrypt for encryption. lib-noir has some functions that use bcrypt, but I've not used it. Session management can be specified by the :store given to wrap-session, and defaults to a in memory store. A cookie store also exists that provides some protection against cookie mutation. Immutant provides a store that can work across a cluster.
4. Insecure Reference: There is not a standard ORM or similar, so handling only the correct parameters is up to you.
5. CSRF: ring-anti-forgery provides a way to add CSRF prevention tokens
6. Security Misconfiguration: This seems to be the domain of chef, pallet, puppet, capistrano or another deployment tool. I'm not sure I want my libraries to mess with deployments.
7. Insecure Cryptographic Storage: Use bcrypt. See 3.
8. Failure to Restrict URL access: I've used friend for authorization.
9. Insufficient Transport Layer Protection: I'd recommend letting your front end server handle this and redirect to https. I believe lib-noir has a middleware that will redirect from http to https if needed. Consider passing `:secure true` to `wrap-cookies` if you have an https only site.
10. Unvalidated Redirects and Forwards: Url generation is a weakspot in a compojure based setup. For comparison, pedestal-service wrote its own routing dsl and stores the routes in a way that allows url generation based on the context passed in.
I believe the use of many small libraries is what causes the lack of a single spot for this documentation. I've picked up most of what I described above by knowing the authors / what to google / asking + watching irc. That does seem like an unfortunate situation for anyone new to have to learn.
-
Nelson Morris