Secure Defaults in Modern Frameworks

By Davy Rogers

Frameworks do a lot for you. The danger is the gaps you don't know about.

Your framework is doing more security work than you probably give it credit for. Stay inside the patterns it expects, and a lot of protection comes for free. Step outside them, reach for a raw query or hand-built HTML, and you quietly opt out of that protection without any warning. So the skill here isn't memorising every default. It's knowing three things for each framework: what it protects by default, where the escape hatches are, and what it leaves entirely to you.

XSS protection

Every major framework auto-escapes template output. Every one of them also ships a way to turn that off.

FrameworkDefaultThe escape hatch
React / Next.jsJSX auto-escapesdangerouslySetInnerHTML; href/src don't check schemes
Vue / Nuxt{{ }} auto-escapesv-html renders raw
AngularSanitises DOM bindingsbypassSecurityTrustHtml()
DjangoTemplates auto-escape`
Rails ERB<%= %> auto-escapesraw() and html_safe
Thymeleafth:text escapesth:utext is unescaped

SQL injection

Same story: the ORM parameterises by default, and there's always a door back to raw SQL.

FrameworkDefaultThe escape hatch
Django ORMParameterisedraw(), extra()
ActiveRecordParameterisedfind_by_sql, where("name = '#{name}'")
SQLAlchemyParameterisedtext() with string formatting
SequelizeParameterisedsequelize.query() misused
PrismaParameterised via tagged-template $queryRaw$queryRawUnsafe, or $queryRaw built by concatenation

CSRF

Here the defaults genuinely diverge, so this is one to check rather than assume.

FrameworkDefaultThe gap
DjangoMiddleware on@csrf_exempt
Railsprotect_from_forgery onAPIs often skip it
Next.js / ExpressNothing built inYou add it yourself

Authentication

FrameworkWhat you get
DjangoBuilt-in auth, sessions, CSRF
RailsDevise is common, but not built in
Next.jsNothing built in; NextAuth.js is common
ExpressNothing built in; Passport.js is common

The pattern to notice: the more you assemble auth yourself, as you do in Node and Express, the more places there are to misconfigure it.

What no framework does for you

A few things are almost always left to you, so treat them as a standing checklist:

  • Security headers. Most frameworks don't set HSTS, CSP, or X-Frame-Options by default. Add them through middleware (Django's SecurityMiddleware, Helmet.js for Express).
  • File uploads. No framework gives you safe upload handling out of the box. Validate content, generate your own filenames, store outside the web root.
  • Production hardening. Never run debug mode in production, change the default secret keys, and lock down admin endpoints.

The single most dangerous assumption you can make is that the framework handles everything. It handles a lot. Know exactly where "a lot" stops.