Skip to content
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
Java Other
  1. Java 98.6%
  2. Other 1.4%
Branch: develop
Clone or download
kwwall Update to fix mailing list subscription links.
Thanks and hat tip to Marc Anderson for noticing this. They were correct in the pom.xml, but broken here.
Latest commit b76f726 Aug 14, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
.codenvy Fixed unit tests and DefaultHttpUtilities May 30, 2015
configuration Changes to support min key length for encryption via the new Encrpyto… Apr 20, 2019
documentation Minor documentation corrections. Jul 15, 2019
resources Relates to Issue 113. Tidied up full build process by introducing a d… Apr 13, 2010
scripts Changes to make Mr. Wichers a happy camper! :) Jun 29, 2019
src Merge pull request #506 from kwwall/issue-245 Aug 2, 2019
.gitattributes Continue to try to address issue 356. Jan 19, 2016
.gitignore Eclipse setup updates (#459) Dec 21, 2018
.travis.yml Merge Bjorn Kimminich's pull request (# 386). Close issue #386. May 7, 2016
CONTRIBUTING-TO-ESAPI.txt Final preparation for ESAPI release (#501) Jun 24, 2019
LICENSE Git is complaining it's modified, but I'm committing w/out any actual… Jan 20, 2016
LICENSE-CONTENT No explicit changes; just did a add, followed by commit, but that see… Jan 20, 2016
LICENSE-README No explicit changes; just did a add, followed by commit, but that see… Jan 20, 2016 Update to fix mailing list subscription links. Aug 15, 2019 Create a file. Jul 5, 2019
ant-javadoc.xml Change CRLF to LF for issue 356. Jan 19, 2016
javadoc.xml Change CRLF to LF for issue 356. Jan 19, 2016
pom.xml Prep for next snapshot release. Jun 25, 2019
suppressions.xml Suppress CVE-2016-1000031 in dependency check May 3, 2017

Enterprise Security API for Java (Legacy)

Build Status Coverage Status Coverity Status CII Best Practices

OWASP ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI for Java library is designed to make it easier for programmers to retrofit security into existing applications. ESAPI for Java also serves as a solid foundation for new development.

What does Legacy mean?

This is the legacy branch of ESAPI which means it is an actively maintained branch of the project, however feature development for this branch will not be done. Features that have already been scheduled for the 2.x branch will move forward, but the main focus will be working on the ESAPI 3.x branch.

IMPORTANT NOTE: The default branch for ESAPI legacy is now the 'develop' branch (rather than the 'master' branch), where future development, bug fixes, etc. will now be done. The 'master' branch is now marked as "protected"; it reflects the latest stable ESAPI release ( as of this date). Note that this change of making the 'develop' branch the default may affect any pull requests that you were intending to make.

Where can I find ESAPI 3.x?

Contributing to ESAPI legacy

How can I contribute or help with fix bugs?

Fork and submit a pull request! Simple as pi! We generally only accept bug fixes, not new features because as a legacy project, we don't intend on adding new features, although we may make exceptions. If you wish to propose a new feature, the best place to discuss it is via the ESAPI-DEV mailing list mentioned below. Note that we vet all pull requests, including coding style of any contributions; use the same coding style found in the files you are already editing.

If you are new to ESAPI, a good place to start is to look for GitHub issues labled as 'good first issue'. (E.g., to find all open issues with that label, use

You can find additional details in the file 'CONTRIBUTING-TO-ESAPI.txt'.

What happened to Google code?

In mid-2014 ESAPI Migrated all code to GitHub. This migration was completed in November 2014.

What about the issues still located on Google Code?

All issues from Google Code have been migrated to GitHub issues. We have a JIRA/Confluence instance allocated to us, but it has not be configured to synchronize with the GitHub issues, and thus is should not be used. JIRA is fine, but if we can't have it synchronized with GitHub issues (which is where the majority of our users report issues), it is not usuable. As developers, we do not want to spent time having to close issues from multiple bug-tracking sites. Therefore, until this synchronization happens (see GitHub issue #371), please ONLY use GitHub for reporting bugs.

When reporting an issue, please be clear and try to ensure that the ESAPI development team has sufficient information to be able to reproduce your results. If you have not already done so, this might be a good time to read Eric S. Raymond's classic "How to Ask Questions the Smart Way", at before posting your issue.

Find an Issue?

If you have found a bug, then create an issue on the esapi-legacy-java repo:

NOTE: Please do NOT use GitHub issues to ask questions about ESAPI. If you wish to do this, post to either of the 2 mailing lists (now on Google Groups) found at the bottom of this page. If we find questions as GitHub issues, we simply will close them and direct you to do this anyhow.

Find a Vulnerability?

If you have found a vulnerability in ESAPI legacy, first search the issues list (see above) to see if it has already been reported. If it has not, then please contact both Kevin W. Wall (kevin.w.wall at and Matt Seil (matt.seil at directly. Please do not report vulnerabilities via GitHub issues or via the ESAPI mailing lists as we wish to keep our users secure while a patch is implemented and deployed. If you wish to be acknowledged for finding the vulnerability, then please follow this process. (Eventually, we would like to have BugCrowd handle this, but that's still a ways off.) Also, when you post the email describing the vulnerability, please do so from an email address that you usually monitor.

More detail is available in the file ''.

Where to Find More Information on ESAPI


Nightly Build: Travis CI -

Issues: Until further notice, use the GitHub issues for reporting bugs and enhancement requests.

Documentation: (Coming Soon), for now find general documentation under the 'documentation/' directory, and the latest Javadoc under

Realtime Support available on our IRC Channel:
Channel: #esapi

Mailing lists: As of 2019-03-25, ESAPI's 2 mailing lists were officially moved OFF of their Mailman mailing lists to a new home on Google Groups.

The names of the 2 Google Groups are "esapi-project-users" and "esapi-project-dev", which you may POST to after you subscribe to them via "Subscribe to ESAPI Users list" and "Subscribe to ESAPI Developers list" respectively.

Old archives for the old Mailman mailing lists for ESAPI-Users and ESAPI-Dev are still available at and respectively.

For a general overview of Google Groups and its web interface, see!overview

For assistance subscribing and unsubscribing to Google Groups, see

You can’t perform that action at this time.