Everything-claude-code springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
install
source · Clone the upstream repo
git clone https://github.com/affaan-m/everything-claude-code
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/affaan-m/everything-claude-code "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/springboot-security" ~/.claude/skills/affaan-m-everything-claude-code-springboot-security-7bfabd && rm -rf "$T"
manifest:
skills/springboot-security/SKILL.mdsource content
Spring Boot Security Review
Use when adding auth, handling input, creating endpoints, or dealing with secrets.
When to Activate
- Adding authentication (JWT, OAuth2, session-based)
- Implementing authorization (@PreAuthorize, role-based access)
- Validating user input (Bean Validation, custom validators)
- Configuring CORS, CSRF, or security headers
- Managing secrets (Vault, environment variables)
- Adding rate limiting or brute-force protection
- Scanning dependencies for CVEs
Authentication
- Prefer stateless JWT or opaque tokens with revocation list
- Use
,httpOnly
,Secure
cookies for sessionsSameSite=Strict - Validate tokens with
or resource serverOncePerRequestFilter
@Component public class JwtAuthFilter extends OncePerRequestFilter { private final JwtService jwtService; public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String header = request.getHeader(HttpHeaders.AUTHORIZATION); if (header != null && header.startsWith("Bearer ")) { String token = header.substring(7); Authentication auth = jwtService.authenticate(token); SecurityContextHolder.getContext().setAuthentication(auth); } chain.doFilter(request, response); } }
Authorization
- Enable method security:
@EnableMethodSecurity - Use
or@PreAuthorize("hasRole('ADMIN')")@PreAuthorize("@authz.canEdit(#id)") - Deny by default; expose only required scopes
@RestController @RequestMapping("/api/admin") public class AdminController { @PreAuthorize("hasRole('ADMIN')") @GetMapping("/users") public List<UserDto> listUsers() { return userService.findAll(); } @PreAuthorize("@authz.isOwner(#id, authentication)") @DeleteMapping("/users/{id}") public ResponseEntity<Void> deleteUser(@PathVariable Long id) { userService.delete(id); return ResponseEntity.noContent().build(); } }
Input Validation
- Use Bean Validation with
on controllers@Valid - Apply constraints on DTOs:
,@NotBlank
,@Email
, custom validators@Size - Sanitize any HTML with a whitelist before rendering
// BAD: No validation @PostMapping("/users") public User createUser(@RequestBody UserDto dto) { return userService.create(dto); } // GOOD: Validated DTO public record CreateUserDto( @NotBlank @Size(max = 100) String name, @NotBlank @Email String email, @NotNull @Min(0) @Max(150) Integer age ) {} @PostMapping("/users") public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) { return ResponseEntity.status(HttpStatus.CREATED) .body(userService.create(dto)); }
SQL Injection Prevention
- Use Spring Data repositories or parameterized queries
- For native queries, use
bindings; never concatenate strings:param
// BAD: String concatenation in native query @Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true) // GOOD: Parameterized native query @Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true) List<User> findByName(@Param("name") String name); // GOOD: Spring Data derived query (auto-parameterized) List<User> findByEmailAndActiveTrue(String email);
Password Encoding
- Always hash passwords with BCrypt or Argon2 — never store plaintext
- Use
bean, not manual hashingPasswordEncoder
@Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(12); // cost factor 12 } // In service public User register(CreateUserDto dto) { String hashedPassword = passwordEncoder.encode(dto.password()); return userRepository.save(new User(dto.email(), hashedPassword)); }
CSRF Protection
- For browser session apps, keep CSRF enabled; include token in forms/headers
- For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth
http .csrf(csrf -> csrf.disable()) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
Secrets Management
- No secrets in source; load from env or vault
- Keep
free of credentials; use placeholdersapplication.yml - Rotate tokens and DB credentials regularly
# BAD: Hardcoded in application.yml spring: datasource: password: mySecretPassword123 # GOOD: Environment variable placeholder spring: datasource: password: ${DB_PASSWORD} # GOOD: Spring Cloud Vault integration spring: cloud: vault: uri: https://vault.example.com token: ${VAULT_TOKEN}
Security Headers
http .headers(headers -> headers .contentSecurityPolicy(csp -> csp .policyDirectives("default-src 'self'")) .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin) .xssProtection(Customizer.withDefaults()) .referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));
CORS Configuration
- Configure CORS at the security filter level, not per-controller
- Restrict allowed origins — never use
in production*
@Bean public CorsConfigurationSource corsConfigurationSource() { CorsConfiguration config = new CorsConfiguration(); config.setAllowedOrigins(List.of("https://app.example.com")); config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE")); config.setAllowedHeaders(List.of("Authorization", "Content-Type")); config.setAllowCredentials(true); config.setMaxAge(3600L); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/api/**", config); return source; } // In SecurityFilterChain: http.cors(cors -> cors.configurationSource(corsConfigurationSource()));
Rate Limiting
- Apply Bucket4j or gateway-level limits on expensive endpoints
- Log and alert on bursts; return 429 with retry hints
// Using Bucket4j for per-endpoint rate limiting @Component public class RateLimitFilter extends OncePerRequestFilter { private final Map<String, Bucket> buckets = new ConcurrentHashMap<>(); private Bucket createBucket() { return Bucket.builder() .addLimit(Bandwidth.classic(100, Refill.intervally(100, Duration.ofMinutes(1)))) .build(); } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String clientIp = request.getRemoteAddr(); Bucket bucket = buckets.computeIfAbsent(clientIp, k -> createBucket()); if (bucket.tryConsume(1)) { chain.doFilter(request, response); } else { response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value()); response.getWriter().write("{\"error\": \"Rate limit exceeded\"}"); } } }
Dependency Security
- Run OWASP Dependency Check / Snyk in CI
- Keep Spring Boot and Spring Security on supported versions
- Fail builds on known CVEs
Logging and PII
- Never log secrets, tokens, passwords, or full PAN data
- Redact sensitive fields; use structured JSON logging
File Uploads
- Validate size, content type, and extension
- Store outside web root; scan if required
Checklist Before Release
- Auth tokens validated and expired correctly
- Authorization guards on every sensitive path
- All inputs validated and sanitized
- No string-concatenated SQL
- CSRF posture correct for app type
- Secrets externalized; none committed
- Security headers configured
- Rate limiting on APIs
- Dependencies scanned and up to date
- Logs free of sensitive data
Remember: Deny by default, validate inputs, least privilege, and secure-by-configuration first.