Seaside tries to be more secure by default than other web frameworks.

Protection against XSS

All output generated by Seaside is HTML entity encoded by default. Unless you send #html: to a render canvas you should be safe against XSS.

Read more about XSS at OWASP.

Protection against CSRF

Seaside automatically generats a unique id that is tied to the session for each action. This id acts like a token.

Read more about CSRF at OWASP.

Whitelist Input Validation

Seaside does automatic input validation for dropdowns, multiselect lists, option groups and radio buttons.

No Command Execution

Seaside does not run any interpreter that executes any input from the web. However if you run a command interpreter in addition to Seaside (SQL, XPath, ...) then Seaside can not protect you angainst command execution in those.