Spring Boot Security Review
Use when adding auth, handling input, creating endpoints, or dealing with secrets.
Authentication
-
Prefer stateless JWT or opaque tokens with revocation list
-
Use httpOnly , Secure , SameSite=Strict cookies for sessions
-
Validate tokens with OncePerRequestFilter or resource server
@Component public class JwtAuthFilter extends OncePerRequestFilter { private final JwtService jwtService;
public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; }
@Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String header = request.getHeader(HttpHeaders.AUTHORIZATION); if (header != null && header.startsWith("Bearer ")) { String token = header.substring(7); Authentication auth = jwtService.authenticate(token); SecurityContextHolder.getContext().setAuthentication(auth); } chain.doFilter(request, response); } }
Authorization
-
Enable method security: @EnableMethodSecurity
-
Use @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("@authz.canEdit(#id)")
-
Deny by default; expose only required scopes
Input Validation
-
Use Bean Validation with @Valid on controllers
-
Apply constraints on DTOs: @NotBlank , @Email , @Size , custom validators
-
Sanitize any HTML with a whitelist before rendering
SQL Injection Prevention
-
Use Spring Data repositories or parameterized queries
-
For native queries, use :param bindings; never concatenate strings
CSRF Protection
-
For browser session apps, keep CSRF enabled; include token in forms/headers
-
For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth
http .csrf(csrf -> csrf.disable()) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
Secrets Management
-
No secrets in source; load from env or vault
-
Keep application.yml free of credentials; use placeholders
-
Rotate tokens and DB credentials regularly
Security Headers
http .headers(headers -> headers .contentSecurityPolicy(csp -> csp .policyDirectives("default-src 'self'")) .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin) .xssProtection(Customizer.withDefaults()) .referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));
Rate Limiting
-
Apply Bucket4j or gateway-level limits on expensive endpoints
-
Log and alert on bursts; return 429 with retry hints
Dependency Security
-
Run OWASP Dependency Check / Snyk in CI
-
Keep Spring Boot and Spring Security on supported versions
-
Fail builds on known CVEs
Logging and PII
-
Never log secrets, tokens, passwords, or full PAN data
-
Redact sensitive fields; use structured JSON logging
File Uploads
-
Validate size, content type, and extension
-
Store outside web root; scan if required
Checklist Before Release
-
Auth tokens validated and expired correctly
-
Authorization guards on every sensitive path
-
All inputs validated and sanitized
-
No string-concatenated SQL
-
CSRF posture correct for app type
-
Secrets externalized; none committed
-
Security headers configured
-
Rate limiting on APIs
-
Dependencies scanned and up to date
-
Logs free of sensitive data
Remember: Deny by default, validate inputs, least privilege, and secure-by-configuration first.