PMD Security Rules

The rule makes sure you are using randomly generated IVs and keys for Crypto calls.

The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation.

Checks against calling dangerous methods.

Checks against accessing endpoints under plain http

Checks against redirects to user-controlled locations.

Detect classes declared without explicit sharing mode if DML methods are used.

Detects the usage of untrusted / unescaped variables in DML queries.

Detects hardcoded credentials used in requests to an endpoint.

Reports on calls to addError with disabled escaping.

Makes sure that all values obtained from URL parameters are properly escaped / sanitized to avoid XSS attacks.

Do not use hard coded values for cryptographic operations.

Do not use hard coded initialization vector in cryptographic operations.

IFrames which are missing a src element can cause security information popups in IE if you are accessing the page through SSL

Avoid using expressions without escaping / sanitizing

Avoid calling VF action upon page load as the action becomes vulnerable to CSRF.

Checks for the correct encoding in <style/> tags in Visualforce pages.

Avoid unescaped user controlled content in EL as it results in XSS.