<< All versions
Skill v1.0.1
currentLLM-judged scan95/100affaan-m/ecc/springboot-security
+4 new
──Details
PublishedJuly 6, 2026 at 05:29 AM
Content Hashsha256:7e38f1d5302a5f43...
Git SHA4130457d674d
Bump Typepatch
──Files
Files (1 file, 7.9 KB)
SKILL.md7.9 KBactive
SKILL.md · 275 lines · 7.9 KB
version: "1.0.1" name: springboot-security description: Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services. metadata: origin: ECC
Spring Boot Security Review
Use when adding auth, handling input, creating endpoints, or dealing with secrets.
When to Activate
- Adding authentication (JWT, OAuth2, session-based)
- Implementing authorization (@PreAuthorize, role-based access)
- Validating user input (Bean Validation, custom validators)
- Configuring CORS, CSRF, or security headers
- Managing secrets (Vault, environment variables)
- Adding rate limiting or brute-force protection
- Scanning dependencies for CVEs
Authentication
- Prefer stateless JWT or opaque tokens with revocation list
- Use
httpOnly,Secure,SameSite=Strictcookies for sessions - Validate tokens with
OncePerRequestFilteror resource server
java
@Componentpublic class JwtAuthFilter extends OncePerRequestFilter {private final JwtService jwtService;public JwtAuthFilter(JwtService jwtService) {this.jwtService = jwtService;}@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,FilterChain chain) throws ServletException, IOException {String header = request.getHeader(HttpHeaders.AUTHORIZATION);if (header != null && header.startsWith("Bearer ")) {String token = header.substring(7);Authentication auth = jwtService.authenticate(token);SecurityContextHolder.getContext().setAuthentication(auth);}chain.doFilter(request, response);}}
Authorization
- Enable method security:
@EnableMethodSecurity - Use
@PreAuthorize("hasRole('ADMIN')")or@PreAuthorize("@authz.canEdit(#id)") - Deny by default; expose only required scopes
java
@RestController@RequestMapping("/api/admin")public class AdminController {@PreAuthorize("hasRole('ADMIN')")@GetMapping("/users")public List<UserDto> listUsers() {return userService.findAll();}@PreAuthorize("@authz.isOwner(#id, authentication)")@DeleteMapping("/users/{id}")public ResponseEntity<Void> deleteUser(@PathVariable Long id) {userService.delete(id);return ResponseEntity.noContent().build();}}
Input Validation
- Use Bean Validation with
@Validon controllers - Apply constraints on DTOs:
@NotBlank,@Email,@Size, custom validators - Sanitize any HTML with a whitelist before rendering
java
// BAD: No validation@PostMapping("/users")public User createUser(@RequestBody UserDto dto) {return userService.create(dto);}// GOOD: Validated DTOpublic record CreateUserDto(@NotBlank @Size(max = 100) String name,@NotBlank @Email String email,@NotNull @Min(0) @Max(150) Integer age) {}@PostMapping("/users")public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) {return ResponseEntity.status(HttpStatus.CREATED).body(userService.create(dto));}
SQL Injection Prevention
- Use Spring Data repositories or parameterized queries
- For native queries, use
:parambindings; never concatenate strings
java
// BAD: String concatenation in native query@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)// GOOD: Parameterized native query@Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true)List<User> findByName(@Param("name") String name);// GOOD: Spring Data derived query (auto-parameterized)List<User> findByEmailAndActiveTrue(String email);
Password Encoding
- Always hash passwords with BCrypt or Argon2 — never store plaintext
- Use
PasswordEncoderbean, not manual hashing
java
@Beanpublic PasswordEncoder passwordEncoder() {return new BCryptPasswordEncoder(12); // cost factor 12}// In servicepublic User register(CreateUserDto dto) {String hashedPassword = passwordEncoder.encode(dto.password());return userRepository.save(new User(dto.email(), hashedPassword));}
CSRF Protection
- For browser session apps, keep CSRF enabled; include token in forms/headers
- For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth
java
http.csrf(csrf -> csrf.disable()).sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
Secrets Management
- No secrets in source; load from env or vault
- Keep
application.ymlfree of credentials; use placeholders - Rotate tokens and DB credentials regularly
yaml
# BAD: Hardcoded in application.ymlspring:datasource:password: mySecretPassword123# GOOD: Environment variable placeholderspring:datasource:password: ${DB_PASSWORD}# GOOD: Spring Cloud Vault integrationspring:cloud:vault:uri: https://vault.example.comtoken: ${VAULT_TOKEN}
Security Headers
java
http.headers(headers -> headers.contentSecurityPolicy(csp -> csp.policyDirectives("default-src 'self'")).frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin).xssProtection(Customizer.withDefaults()).referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));
CORS Configuration
- Configure CORS at the security filter level, not per-controller
- Restrict allowed origins — never use
*in production
java
@Beanpublic CorsConfigurationSource corsConfigurationSource() {CorsConfiguration config = new CorsConfiguration();config.setAllowedOrigins(List.of("https://app.example.com"));config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE"));config.setAllowedHeaders(List.of("Authorization", "Content-Type"));config.setAllowCredentials(true);config.setMaxAge(3600L);UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();source.registerCorsConfiguration("/api/**", config);return source;}// In SecurityFilterChain:http.cors(cors -> cors.configurationSource(corsConfigurationSource()));
Rate Limiting
- Apply Bucket4j or gateway-level limits on expensive endpoints
- Log and alert on bursts; return 429 with retry hints
java
// Using Bucket4j for per-endpoint rate limiting@Componentpublic class RateLimitFilter extends OncePerRequestFilter {private final Map<String, Bucket> buckets = new ConcurrentHashMap<>();private Bucket createBucket() {return Bucket.builder().addLimit(Bandwidth.classic(100, Refill.intervally(100, Duration.ofMinutes(1)))).build();}@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,FilterChain chain) throws ServletException, IOException {String clientIp = request.getRemoteAddr();Bucket bucket = buckets.computeIfAbsent(clientIp, k -> createBucket());if (bucket.tryConsume(1)) {chain.doFilter(request, response);} else {response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());response.getWriter().write("{\"error\": \"Rate limit exceeded\"}");}}}
Dependency Security
- Run OWASP Dependency Check / Snyk in CI
- Keep Spring Boot and Spring Security on supported versions
- Fail builds on known CVEs
Logging and PII
- Never log secrets, tokens, passwords, or full PAN data
- Redact sensitive fields; use structured JSON logging
File Uploads
- Validate size, content type, and extension
- Store outside web root; scan if required
Checklist Before Release
- [ ] Auth tokens validated and expired correctly
- [ ] Authorization guards on every sensitive path
- [ ] All inputs validated and sanitized
- [ ] No string-concatenated SQL
- [ ] CSRF posture correct for app type
- [ ] Secrets externalized; none committed
- [ ] Security headers configured
- [ ] Rate limiting on APIs
- [ ] Dependencies scanned and up to date
- [ ] Logs free of sensitive data
Remember: Deny by default, validate inputs, least privilege, and secure-by-configuration first.