Security

By using Java and JSF with Facelets you have a good base to build secure applications. Tobago supports additional security concepts:

• Content Security Policy
• Sanitize suspicious code.
• Checking annotated method calls for Roles.
• Setting HTTP headers X-Frame-Options and X-Content-Type-Options
• Using session secrets to avoid Cross-Site Request Forgery (CSRF). This is configurable in the tobago-config.xml
• and some mottle features...