I'm in the process of teaching myself web development. Until recently, my applications have simply communicated with 3rd party APIs like Twilio, with no user front end. I like CherryPy because it is simple enough that it does not get in my way.
I'd like to build a mostly static personal site with some dynamic features. I plan on using CherryPy to to serve the HTML, and handle AJAX requests from jQuery, to provide an interactive and accessible UI for things like an email contact form.
However, I have some security concerns. I come from a system administration background; so I am aware of the various attack vectors one might use (XSS/CSRF, etc). I also know that CherryPy does not provide protection out of the box. I already plan on securing the contact form with reCaptcha. What else can I do? Is there a form library for Python/CherryPy that offers some basic filtering protection? Is there a free tool I can use to test my application for such vulnerabilities?
reCaptha (and other such tools) are not for security, but for abuse-prevention. If your code is ok, you won't need a Capcha to protect your site, unless you want to have a fulltime job removing all the spam from your mailbox.
I found that adding a little home-made trick to your mail form works a lot better than an out of the box captcha. I've added an hidden input field to my form, named 'email'. Bots will strip your page and try to enter sensible values in all input fields. If they enter a value in this hidden field, you can be sure you're dealing with a bot. I've found this trick working surpisingly well.