| name | spring-security |
| description | Use this skill when implementing or reviewing security in a Spring Boot application. Covers authentication, authorization, input validation, secure configuration, and API security best practices. |
Spring Security
Scope
Apply this skill when working on:
- authentication and authorization
- Spring Security configuration
- API endpoint protection
- JWT or session-based security
- secure API design
- handling sensitive data
Security Configuration
- Use Spring Security filter chain configuration.
- Prefer explicit configuration over defaults.
- Deny by default; explicitly allow public endpoints.
- Clearly separate public vs protected routes.
Authentication
- Prefer stateless JWT or secure session-based authentication.
- Extract and validate tokens using filters (e.g.,
OncePerRequestFilter).
- Store tokens securely:
- Prefer httpOnly cookies for browser apps
- Avoid exposing tokens to JavaScript when possible
- Never store or log raw credentials.
Authorization
- Enable method-level security (
@EnableMethodSecurity).
- Use annotations like:
@PreAuthorize("hasRole('ADMIN')")
@PreAuthorize("@authz.isOwner(#id)")
- Enforce authorization at:
- controller level (entry point)
- service layer (critical logic)
- Always verify ownership or permissions before actions.
HTTP Semantics & API Security
- Use correct status codes:
- 401 → unauthenticated
- 403 → authenticated but not authorized
- Never return 200 for security failures.
- Do not leak internal details in responses.
- Keep error responses consistent and minimal.
Input Validation
- Validate all incoming data using Bean Validation (
@Valid).
- Apply constraints:
@NotBlank, @Email, @Size, etc.
- Prefer allowlist validation.
- Reject invalid data early at API boundary.
Injection Prevention
- Never concatenate SQL queries.
- Use:
- Spring Data JPA
- parameterized queries
- Avoid passing raw user input into execution contexts.
Password & Credential Handling
- Always hash passwords using:
- Never store plaintext passwords.
- Use
PasswordEncoder bean.
CSRF Protection
- For browser-based apps:
- Keep CSRF enabled
- include CSRF tokens
- For stateless APIs:
- disable CSRF
- rely on JWT/Bearer tokens
CORS Configuration
- Configure CORS centrally (not per controller).
- Never use wildcard (
*) in production.
- Restrict origins to trusted domains only.
Security Headers
Always configure headers such as:
- Content-Security-Policy
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
These reduce XSS, clickjacking, and injection risks.
Secrets Management
- Never hardcode secrets in code or config.
- Use:
- environment variables
- secret managers (Vault, cloud providers)
- Rotate credentials regularly.
- Do not expose secrets in logs or errors.
Rate Limiting & Abuse Protection
- Apply rate limiting to API endpoints.
- Protect:
- authentication endpoints
- expensive operations
- Return HTTP 429 when limits are exceeded.
Logging & Sensitive Data
- Never log:
- Log:
- authentication attempts
- authorization failures
- Keep logs structured and safe.
File Upload Security
- Validate:
- file size
- file type
- file extension
- Store files outside web root.
- Avoid executing uploaded content.
Dependency Security
- Keep dependencies up to date.
- Scan for vulnerabilities (OWASP, Snyk).
- Do not use outdated Spring Security versions.
Cloud & Infrastructure Awareness
- Follow least privilege principle for access control.
- Store secrets in managed services.
- Enable logging and monitoring.
- Avoid exposing services publicly unless required.
Common Pitfalls
- Missing authorization checks
- Incorrect HTTP status codes
- Hardcoded secrets
- Logging sensitive data
- Using string-based SQL queries
- Overly permissive CORS
- Disabled security headers
Output Expectations
When generating security-related code:
- configure Spring Security explicitly
- secure all endpoints by default
- validate all inputs
- use proper HTTP status codes
- avoid security anti-patterns
- highlight potential vulnerabilities if detected