I’ve been considering using Google App Engine for a few hobby projects. While they won’t be handling any sensitive data, I’d still like to make them relatively secure for a number of reasons, like learning about security, legal, etc.
What security issues need to be addressed when working with Google App Engine?
Are they the same issues that other applications – like applications written in other languages or hosted in other ways – are faced with?
Edit: I did some searching it looks like I need to sanitize input for XSS and Injection. What are other things to consider?
“Sanitising” input is not the way to avoid query-injection and markup-injection problems. Using the correct form of escaping at the output stage is… or, even better, using a higher-level tool that deals with it for you.
So for preventing query-injection against GQL, use the parameter-binding interface of GqlQuery. For preventing markup-injection against HTML (leading to XSS), use the HTML-escaping feature of whatever templating language you’re using. For example, for Django templates,
|escape… or, better,{% autoescape on %}so you don’t accidentally miss one.