The security checklist will remind the team what it should focus on during the code review. Specifically, for the struts framework security, the struts security implementation checklist is summarized in the following points. The struts security reference source is at link https://struts.apache.org/security/:
- The Config Browser Plugin should be used only in the development environment
- Group actions in one namespace by security level
- Put all the JSP files under WEB-INF to avoid direct access of JSP files
- Disable the development mode devMode
- Reduce the logging level in the production environment
- UTF-8 encoding
- Validate the data input parameters for getText()
- Don't use a raw ${} EL expression directly for the input ...