Skip to content

JSF (MyFaces) ViewState must not be unencrypted

Test Case that checks that a given JSF page (typically ending on .xhtml) does not contain an unencrypted ViewState.


  • HTTP GET on any JSF based page (typically ending on .xhtml).


  • Expected Status Code: 200 (OK)
  • Body content must contain a ViewState
  • Body content must not contain an unencrypted MyFaces ViewState

More information