Dissertations about JSF saving state also imply some aspects regarding JSF security. It appears that saving the JSF state on the client is less secure than saving the JSF state on the server. For the most common security concerns (for example, XSS, CSRF, SQL injection, and phishing), JSF provides implicit protection.
CSRF and phishing attacks can be prevented by saving state on the server. JSF 2.0 comes with implicit protection against CSRF attacks based on the value of the javax.faces.ViewState
hidden field. Starting with JSF 2.2, this protection was seriously fortified by creating a powerful and robust value for this field.