I've been considering using Google App Engine for a few hobby projects. While they won't be handling any sensitive data, I'd still like to make them relatively secure for a number of reasons, like learning about security, legal, etc.
What security issues need to be addressed when working with Google App Engine?
Are they the same issues that other applications - like applications written in other languages or hosted in other ways - are faced with?
Edit: I did some searching it looks like I need to sanitize input for XSS and Injection. What are other things to consider?
“Sanitising” input is not the way to avoid query-injection and markup-injection problems. Using the correct form of escaping at the output stage is... or, even better, using a higher-level tool that deals with it for you.
So for preventing query-injection against GQL, use the parameter-binding interface of GqlQuery. For preventing markup-injection against HTML (leading to XSS), use the HTML-escaping feature of whatever templating language you're using. For example, for Django templates, |escape
... or, better, {% autoescape on %}
so you don't accidentally miss one.
In general there are the same issues. In addition google "knows" your code and can in theory monitor anything what the code is doing. Therefore it is very difficult if you want to prevent them from reading your data.
But i don't believe they have time and resources to monitor your code and data that close.