Learn-skills.dev springboot-security
Spring Security best practices for authn/authz, validation, CSRF, secrets, headers, rate limiting, and dependency security in Java Spring Boot services.
install
source · Clone the upstream repo
git clone https://github.com/NeverSight/learn-skills.dev
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/affaan-m/everything-claude-code/springboot-security" ~/.claude/skills/neversight-learn-skills-dev-springboot-security && rm -rf "$T"
manifest:
data/skills-md/affaan-m/everything-claude-code/springboot-security/SKILL.mdsource content
Spring Boot Security Review
Use when adding auth, handling input, creating endpoints, or dealing with secrets.
Authentication
- Prefer stateless JWT or opaque tokens with revocation list
- Use
,httpOnly
,Secure
cookies for sessionsSameSite=Strict - Validate tokens with
or resource serverOncePerRequestFilter
@Component public class JwtAuthFilter extends OncePerRequestFilter { private final JwtService jwtService; public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String header = request.getHeader(HttpHeaders.AUTHORIZATION); if (header != null && header.startsWith("Bearer ")) { String token = header.substring(7); Authentication auth = jwtService.authenticate(token); SecurityContextHolder.getContext().setAuthentication(auth); } chain.doFilter(request, response); } }
Authorization
- Enable method security:
@EnableMethodSecurity - Use
or@PreAuthorize("hasRole('ADMIN')")@PreAuthorize("@authz.canEdit(#id)") - Deny by default; expose only required scopes
Input Validation
- Use Bean Validation with
on controllers@Valid - Apply constraints on DTOs:
,@NotBlank
,@Email
, custom validators@Size - Sanitize any HTML with a whitelist before rendering
SQL Injection Prevention
- Use Spring Data repositories or parameterized queries
- For native queries, use
bindings; never concatenate strings:param
CSRF Protection
- For browser session apps, keep CSRF enabled; include token in forms/headers
- For pure APIs with Bearer tokens, disable CSRF and rely on stateless auth
http .csrf(csrf -> csrf.disable()) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
Secrets Management
- No secrets in source; load from env or vault
- Keep
free of credentials; use placeholdersapplication.yml - Rotate tokens and DB credentials regularly
Security Headers
http .headers(headers -> headers .contentSecurityPolicy(csp -> csp .policyDirectives("default-src 'self'")) .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin) .xssProtection(Customizer.withDefaults()) .referrerPolicy(rp -> rp.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.NO_REFERRER)));
Rate Limiting
- Apply Bucket4j or gateway-level limits on expensive endpoints
- Log and alert on bursts; return 429 with retry hints
Dependency Security
- Run OWASP Dependency Check / Snyk in CI
- Keep Spring Boot and Spring Security on supported versions
- Fail builds on known CVEs
Logging and PII
- Never log secrets, tokens, passwords, or full PAN data
- Redact sensitive fields; use structured JSON logging
File Uploads
- Validate size, content type, and extension
- Store outside web root; scan if required
Checklist Before Release
- Auth tokens validated and expired correctly
- Authorization guards on every sensitive path
- All inputs validated and sanitized
- No string-concatenated SQL
- CSRF posture correct for app type
- Secrets externalized; none committed
- Security headers configured
- Rate limiting on APIs
- Dependencies scanned and up to date
- Logs free of sensitive data
Remember: Deny by default, validate inputs, least privilege, and secure-by-configuration first.