CL
Clojure Security
Clojure security practices for input validation, safe evaluation, and dependency auditing
Details
Language / Topic
ClojureCategory
Security
Rules
balanced
- Never call `(eval user-input)` or `(load-string user-input)` — Clojure's reader and evaluator execute arbitrary code without sandboxing.
- Use `clojure.spec.alpha/valid?` or `malli` schemas to validate all external inputs at the entry point before processing.
- Use `next.jdbc` parameterised queries with `[:select :* :from :users :where [:= :id ?]]` syntax — never splice string input into SQL.
- Disable the Clojure reader's extensible data notation (EDN) tagged literals for untrusted input — use `clojure.edn/read-string` not `clojure.core/read-string`.
- Use `buddy-hashers` for password hashing with `bcrypt` or `argon2` — never store passwords hashed with `MD5` or `SHA1`.
- Use `ring-anti-forgery` middleware for CSRF protection on all state-mutating HTTP routes in Ring-based web applications.
- Audit dependencies with `nvd-clojure` (National Vulnerability Database checker) in CI to detect known CVEs in the dependency tree.