🇺🇸English

Spring Boot Security Review

Use when adding auth, handling input, creating endpoints, or dealing with secrets.

When to Activate

• Adding authentication (JWT, OAuth2, session-based)
• Implementing authorization (@PreAuthorize, role-based access)
• Validating user input (Bean Validation, custom validators)
• Configuring CORS, CSRF, or security headers
• Managing secrets (Vault, environment variables)
• Adding rate limiting or brute-force protection
• Scanning dependencies for CVEs

Authentication

• Prefer stateless JWT or opaque tokens with revocation list

• Use httpOnly, Secure, SameSite=Strict cookies for sessions

• Validate tokens with OncePerRequestFilter or resource server

  @Component public class JwtAuthFilter extends OncePerRequestFilter { private final JwtService jwtService;

  public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; }

  @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String header = request.getHeader(HttpHeaders.AUTHORIZATION); if (header != null && header.startsWith("Bearer ")) { String token = header.substring(7); Authentication auth = jwtService.authenticate(token); SecurityContextHolder.getContext().setAuthentication(auth); } chain.doFilter(request, response); } }

Authorization

• Enable method security: @EnableMethodSecurity

• Use @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("@authz.canEdit(#id)")

• Deny by default; expose only required scopes

  @RestController @RequestMapping("/api/admin") public class AdminController {

  @PreAuthorize("hasRole('ADMIN')") @GetMapping("/users") public List<UserDto> listUsers() { return userService.findAll(); }

  @PreAuthorize("@authz.isOwner(#id, authentication)") @DeleteMapping("/users/{id}") public ResponseEntity<Void> deleteUser(@PathVariable Long id) { userService.delete(id); return ResponseEntity.noContent().build(); } }

Input Validation

• Use Bean Validation with @Valid on controllers

• Apply constraints on DTOs: @NotBlank, @Email, @Size, custom validators

• Sanitize any HTML with a whitelist before rendering

  // BAD: No validation @PostMapping("/users") public User createUser(@RequestBody UserDto dto) { return userService.create(dto); }

  // GOOD: Validated DTO public record CreateUserDto( @NotBlank @Size(max = 100) String name, @NotBlank @Email String email, @NotNull @Min(0) @Max(150) Integer age ) {}

  @PostMapping("/users") public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) { return ResponseEntity.status(HttpStatus.CREATED) .body(userService.create(dto)); }

SQL Injection Prevention

• Use Spring Data repositories or parameterized queries

• For native queries, use :param bindings; never concatenate strings

  // BAD: String concatenation in native query @Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)

  // GOOD: Parameterized native query @Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true) List<User> findByName(@Param("name") String name);

  // GOOD: Spring Data derived query (auto-parameterized) List<User> findByEmailAndActiveTrue(String email);

Password Encoding

• Always hash passwords with BCrypt or Argon2 — never store plaintext

• Use PasswordEncoder bean, not manual hashing

  @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(12); // cost factor 12 }

  // In service public User register(CreateUserDto dto) { String hashedPassword = passwordEncoder.encode(dto.password()); return userRepository.save(new User(dto.email(), hashedPassword)); }

CSRF Protection

• For browser session apps, keep CSRF enabled; include token in forms/headers

• For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth

  http .csrf(csrf -> csrf.disable()) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

Secrets Management

• No secrets in source; load from env or vault

• Keep application.yml free of credentials; use placeholders

• Rotate tokens and DB credentials regularly

  BAD: Hardcoded in application.yml

  spring: datasource: password: mySecretPassword123

  GOOD: Environment variable placeholder

  spring: datasource: password: ${DB_PASSWORD}

  GOOD: Spring Cloud Vault integration

  spring: cloud: vault: uri: https://vault.example.com token: ${VAULT_TOKEN}

Security Headers

http
  .headers(headers -> headers
    .contentSecurityPolicy(csp -> csp
      .policyDirectives("default-src 'self'"))
    .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
    .xssProtection(Customizer.withDefaults())
    .referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));

CORS Configuration

• Configure CORS at the security filter level, not per-controller

• Restrict allowed origins — never use * in production

  @Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(List.of("https://app.example.com")); config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE")); config.setAllowedHeaders(List.of("Authorization", "Content-Type")); config.setAllowCredentials(true); config.setMaxAge(3600L);

  UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/api/**", config); return source; }

  // In SecurityFilterChain: http.cors(cors -> cors.configurationSource(corsConfigurationSource()));

Rate Limiting

• Apply Bucket4j or gateway-level limits on expensive endpoints

• Log and alert on bursts; return 429 with retry hints

  // Using Bucket4j for per-endpoint rate limiting @Component public class RateLimitFilter extends OncePerRequestFilter { private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();

  private Bucket createBucket() { return Bucket.builder() .addLimit(Bandwidth.classic(100, Refill.intervally(100, Duration.ofMinutes(1)))) .build(); }

  @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String clientIp = request.getRemoteAddr(); Bucket bucket = buckets.computeIfAbsent(clientIp, k -> createBucket());

  if (bucket.tryConsume(1)) {
    chain.doFilter(request, response);
  } else {
    response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
    response.getWriter().write("{\"error\": \"Rate limit exceeded\"}");
  }
  

  } }

Dependency Security

• Run OWASP Dependency Check / Snyk in CI
• Keep Spring Boot and Spring Security on supported versions
• Fail builds on known CVEs

Logging and PII

• Never log secrets, tokens, passwords, or full PAN data
• Redact sensitive fields; use structured JSON logging

File Uploads

• Validate size, content type, and extension
• Store outside web root; scan if required

Checklist Before Release

• Auth tokens validated and expired correctly
• Authorization guards on every sensitive path
• All inputs validated and sanitized
• No string-concatenated SQL
• CSRF posture correct for app type
• Secrets externalized; none committed
• Security headers configured
• Rate limiting on APIs
• Dependencies scanned and up to date
• Logs free of sensitive data

Remember : Deny by default, validate inputs, least privilege, and secure-by-configuration first.

Weekly Installs

1.1K

Repository

affaan-m/everyt…ude-code

GitHub Stars

72.1K

First Seen

Jan 30, 2026

Security Audits

Gen Agent Trust HubPassSocketPassSnykPass

Installed on

opencode880

codex854

gemini-cli838

github-copilot778

cursor721

kimi-cli718