18 lines
799 B
Plaintext
18 lines
799 B
Plaintext
==== More secure serialization methods
|
|
|
|
Some more secure serialization methods reduce the risk of security breaches,
|
|
although not definitively.
|
|
|
|
A complete object serializer is probably unnecessary if you only need to
|
|
receive primitive data (for example integers, strings, bools, etc.). +
|
|
In this case, formats such as JSON and XML protect the application from
|
|
deserialization attacks by default.
|
|
|
|
For more complex objects, the next step is to control which class fields are
|
|
exposed by creating class-specific serialization methods. +
|
|
The most common method is to use Data Transfer Objects (DTO) patterns or Google
|
|
Protocol Buffers (protobufs). After creating the Protobuf data structure, the
|
|
Protobuf compiler creates class files that handle operations such as
|
|
serializing and deserializing data.
|
|
|