1. Skill Overview
2. Core Capabilities
2.1 Authentication
| Best Practice | Specification |
|---|---|
| Token Strategy | Prefer stateless JWT or opaque revocable tokens with revocation lists |
| Secure Cookie Policy | Store session data in cookies marked HttpOnly, Secure, SameSite=Strict |
| Token Validation | Validate tokens via OncePerRequestFilter or Spring Resource Server components |
@Component
public class JwtAuthFilter extends OncePerRequestFilter {
private final JwtService jwtService;
public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; }
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain chain)
throws ServletException, IOException {
String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (header != null && header.startsWith("Bearer ")) {
String token = header.substring(7);
Authentication auth = jwtService.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
}
chain.doFilter(request, response);
}
}
2.2 Authorization
- Enable method-level security with
@EnableMethodSecurity - Apply fine-grained access control via
@PreAuthorize("hasRole('ADMIN')")or dynamic bean checks@PreAuthorize("@authz.canEdit(#id)") - Follow deny-by-default logic; only expose minimal required scopes publicly
2.3 Input Validation
- Use
@Validwith Bean Validation on all controller request DTOs - Apply constraint annotations on DTO fields:
@NotBlank,@Size, and custom validators - Sanitize user-submitted HTML via allowlist sanitization before rendering
2.4 SQL Injection Prevention
- Utilize Spring Data repositories or parameterized named queries
- Bind dynamic values with
:paramplaceholders for native SQL; never concatenate raw strings with user input
2.5 CSRF Protection
| Scenario | Configuration Rule |
|---|---|
| Browser session-based web apps | Enable CSRF protection; attach CSRF tokens to HTML forms and request headers |
| Pure Bearer Token stateless APIs | Disable CSRF, rely entirely on stateless token authentication |
http.csrf(csrf -> csrf.disable())
.sessionManagement(sm ->
sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
2.6 Secret & Credential Management
- Hardcoded secrets in source code are strictly prohibited
- Load all credentials from environment variables or dedicated Vault secret stores
- Use placeholder substitution within
application.yml; never persist raw secrets in config files - Enforce regular rotation of API tokens and database credentials
2.7 Security Response Headers
http.headers(headers -> headers
.contentSecurityPolicy(csp -> csp
.policyDirectives("default-src 'self'"))
.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
.xssProtection(Customizer.withDefaults())
.referrerPolicy(rp ->
rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER))
);
2.8 Rate Limiting
- Apply Bucket4j or gateway-layer rate limiting to high-cost resource-heavy endpoints
- Log anomalous traffic spikes and trigger alerting workflows
- Return
429 Too Many Requestsresponses with clear retry guidance headers
2.9 Dependency Security Governance
- Run OWASP Dependency Check / Snyk automated scans within CI pipelines
- Maintain Spring Boot and Spring Security on officially supported minor versions
- Fail CI builds immediately upon detection of unresolved disclosed CVEs
2.10 Logging & PII Redaction
- Never log raw secrets, authentication tokens, plaintext passwords, or full payment PAN data
- Redact all sensitive PII fields in structured log output
- Standardize JSON structured logging format for all application logs
2.11 Secure File Upload Handling
- Validate file size, actual content MIME type, and allowed extensions
- Persist uploaded assets outside the web-accessible document root
- Integrate malware virus scanning for high-risk upload workflows if required
3. Mandatory Pre-Deployment Checklist
- Authentication tokens are fully validated and expired tokens rejected
- All sensitive routes protected by authorization guards
- All untrusted user input validated and sanitized
- No raw string-concatenated SQL queries
- CSRF protection configured correctly matching application session type (browser vs stateless API)
- All secrets externalized; no credentials committed to source control
- Mandatory security response headers enabled
- Global rate limiting applied to all API endpoints
- Dependencies scanned and updated to remediate disclosed vulnerabilities
- Log output contains no unredacted sensitive PII or credentials
4. Primary Use Cases
- New project security baseline setup
Build a complete hardened security foundation during Spring Boot project initialization
- Security audit & code review
Cross-reference the standardized checklist to audit authentication, authorization, input handling and other common vulnerability surfaces
- Pre-production deployment validation
Verify all security controls are fully implemented prior to shipping to staging/production
- Engineering team secure coding training
Serve as standardized secure coding specification documentation for Spring Boot development teams
5. Critical Guiding Principles
- Deny-by-default: All access is blocked unless explicitly permitted
- Full input validation: Every piece of user-controlled input must pass strict validation rules
- Least privilege: Grant only the minimal access scope required to complete assigned tasks
- Configuration-first security: Implement security rules via external config rather than hardcoded logic
- Secrets externalization: All sensitive credentials loaded via environment variables or Vault secret management
- Log redaction rule: Passwords, tokens, and PII must never appear in unredacted application logs