Play 1 security


Despite their functional differences, is Play 1 as secure as Play 2?

I am referring to all kinds of aspects concerning security, whether the way the session cookie is signed/represented or protection against web vulnerabilities (

Given Play! 1’s low activity, are and will security fixes continue being applied to Play 1 as they are to Play 2?

Thanks in advance.

1 Like

I would also like to know the answer to this :)
It certainly always used to be that way, with security patches being applied to the latest of all the Play1 versions.

There weren’t many security flaws reported though, even in the beginning when all the activity was in Play1. I think that lies together with the fact that the session cookie signing etc is relatively simple and straightforward… and also relatively robust, so there’s not many angles of attack that afaik.
There was one issue reported by an external security research team a few years ago in that area… and it was promptly patched by the Play maintainers.

The current maintainers are doing a great job of upgrading dependencies, making Play1 work with the latest Java versions etc, so I think the responsiveness is there, should it be needed :+1: