Spring Boot Security Skill

100 0 Updated: 2026-07-15 14:46:23

Spring Boot Security is a security framework skill based on Spring Boot for building secure and robust applications. It provides core security features such as authentication, authorization, encryption, and session management, supporting multiple authentication methods (e.g., JWT, OAuth2, LDAP), and integrates best practices of Spring Security. This skill is suitable for web applications, microservices, or API gateways that need rapid implementation of user authentication and permission control, helping developers reduce security vulnerabilities and enhance system protection. Security policies can be flexibly customized through configuration files and annotations, reducing development complexity.

Install
bunx skills add https://github.com/affaan-m/ECC.git --skill springboot-security
Skill Details readonly

1. Skill Overview

This skill delivers a systematic security audit framework for Spring Boot applications, covering all security dimensions of Java Spring Boot services from authentication & authorization through production deployment. It functions simultaneously as an actionable security checklist and standardized secure coding specification.
Core Principles: Deny-by-default, validate all input, least privilege access, configuration-driven security.

2. Core Capabilities

2.1 Authentication

Best Practice Specification
Token Strategy Prefer stateless JWT or opaque revocable tokens with revocation lists
Secure Cookie Policy Store session data in cookies marked HttpOnly, Secure, SameSite=Strict
Token Validation Validate tokens via OncePerRequestFilter or Spring Resource Server components
java
@Component
public class JwtAuthFilter extends OncePerRequestFilter {
    private final JwtService jwtService;
    public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; }
    @Override
    protected void doFilterInternal(HttpServletRequest request, 
            HttpServletResponse response, FilterChain chain) 
            throws ServletException, IOException {
        String header = request.getHeader(HttpHeaders.AUTHORIZATION);
        if (header != null && header.startsWith("Bearer ")) {
            String token = header.substring(7);
            Authentication auth = jwtService.authenticate(token);
            SecurityContextHolder.getContext().setAuthentication(auth);
        }
        chain.doFilter(request, response);
    }
}

2.2 Authorization

  • Enable method-level security with @EnableMethodSecurity
  • Apply fine-grained access control via @PreAuthorize("hasRole('ADMIN')") or dynamic bean checks @PreAuthorize("@authz.canEdit(#id)")
  • Follow deny-by-default logic; only expose minimal required scopes publicly

2.3 Input Validation

  • Use @Valid with Bean Validation on all controller request DTOs
  • Apply constraint annotations on DTO fields: @NotBlank, @Size, and custom validators
  • Sanitize user-submitted HTML via allowlist sanitization before rendering

2.4 SQL Injection Prevention

  • Utilize Spring Data repositories or parameterized named queries
  • Bind dynamic values with :param placeholders for native SQL; never concatenate raw strings with user input

2.5 CSRF Protection

Scenario Configuration Rule
Browser session-based web apps Enable CSRF protection; attach CSRF tokens to HTML forms and request headers
Pure Bearer Token stateless APIs Disable CSRF, rely entirely on stateless token authentication
java
http.csrf(csrf -> csrf.disable())
    .sessionManagement(sm -> 
        sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));

2.6 Secret & Credential Management

  • Hardcoded secrets in source code are strictly prohibited
  • Load all credentials from environment variables or dedicated Vault secret stores
  • Use placeholder substitution within application.yml; never persist raw secrets in config files
  • Enforce regular rotation of API tokens and database credentials

2.7 Security Response Headers

http.headers(headers -> headers
    .contentSecurityPolicy(csp -> csp
        .policyDirectives("default-src 'self'"))
    .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
    .xssProtection(Customizer.withDefaults())
    .referrerPolicy(rp -> 
        rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER))
);

2.8 Rate Limiting

  • Apply Bucket4j or gateway-layer rate limiting to high-cost resource-heavy endpoints
  • Log anomalous traffic spikes and trigger alerting workflows
  • Return 429 Too Many Requests responses with clear retry guidance headers

2.9 Dependency Security Governance

  • Run OWASP Dependency Check / Snyk automated scans within CI pipelines
  • Maintain Spring Boot and Spring Security on officially supported minor versions
  • Fail CI builds immediately upon detection of unresolved disclosed CVEs

2.10 Logging & PII Redaction

  • Never log raw secrets, authentication tokens, plaintext passwords, or full payment PAN data
  • Redact all sensitive PII fields in structured log output
  • Standardize JSON structured logging format for all application logs

2.11 Secure File Upload Handling

  • Validate file size, actual content MIME type, and allowed extensions
  • Persist uploaded assets outside the web-accessible document root
  • Integrate malware virus scanning for high-risk upload workflows if required

3. Mandatory Pre-Deployment Checklist

All items must be fully validated before production release:
  1. Authentication tokens are fully validated and expired tokens rejected
  2. All sensitive routes protected by authorization guards
  3. All untrusted user input validated and sanitized
  4. No raw string-concatenated SQL queries
  5. CSRF protection configured correctly matching application session type (browser vs stateless API)
  6. All secrets externalized; no credentials committed to source control
  7. Mandatory security response headers enabled
  8. Global rate limiting applied to all API endpoints
  9. Dependencies scanned and updated to remediate disclosed vulnerabilities
  10. Log output contains no unredacted sensitive PII or credentials

4. Primary Use Cases

  1. New project security baseline setup
     
    Build a complete hardened security foundation during Spring Boot project initialization
  2. Security audit & code review
     
    Cross-reference the standardized checklist to audit authentication, authorization, input handling and other common vulnerability surfaces
  3. Pre-production deployment validation
     
    Verify all security controls are fully implemented prior to shipping to staging/production
  4. Engineering team secure coding training
     
    Serve as standardized secure coding specification documentation for Spring Boot development teams

5. Critical Guiding Principles

  1. Deny-by-default: All access is blocked unless explicitly permitted
  2. Full input validation: Every piece of user-controlled input must pass strict validation rules
  3. Least privilege: Grant only the minimal access scope required to complete assigned tasks
  4. Configuration-first security: Implement security rules via external config rather than hardcoded logic
  5. Secrets externalization: All sensitive credentials loaded via environment variables or Vault secret management
  6. Log redaction rule: Passwords, tokens, and PII must never appear in unredacted application logs

Summary

Spring Boot Security is a complete best-practice skillset for securing Spring Boot Java backend services, covering 11 core security domains: authentication, authorization, input validation, SQL injection mitigation, CSRF protection, secret governance, security HTTP headers, API rate limiting, dependency vulnerability scanning, PII log redaction, and secure file upload workflows. It provides production-ready code examples and a mandatory pre-release validation checklist, designed for Spring Boot developers to implement new project security baselines, conduct code security audits, run pre-production release gate checks, and deliver team secure coding training.