We have a web application developed with Flex-Java combination. The GUI is completely in Flex and Java forms the business layer. The issue we are facing is of cross-site scripting and content spoofing threats. How can we avoid/remedy such threats? We are using Flex builder 3 (3.0.1..) and LCDS. Is there any settings we need to change or does some new release solve this threat?
We are facing this in production, any potential suggestion will be helpful. Thanks in advance.
Are you aware of using a cross-domain ploicy file? This is what I believe you will need to use. Using one, will restrict clients from specific domains from accessing your code or downloading your SWF.
Here is a new article I just found about cross-domain file.
This article is about dynamically generating a cross-domain file, which you probably will not need. However the first half (up to 'The Solution' section) of the article is pretty informative.
Flex can be decompiled, so it can't contain algorithms for user authentication/authorization.
The connection between the client Flex app and the server should be encrypted, to prevent user name and password interception.
One should not forget that Flex apps don't require cookies to persist data because Flex apps are statefull and cookies were created for HTTP which is stateless.