Cookbook Name:
Spring
Description:
Best practices spanning the Java Spring projects including Boot, Core, Data, Security and Web.
Owner:
Secure Code Warrior
Number of Recipes:
91
Recipe Name Description Language Level Tags
Spring/Boot
Code quality: Do not add @Scope("singleton") on a Spring (rest)controller, service or repository Adding @Scope("singleton") is redundant java info webframework specificSpring BootSpringquality
EnvironmentTestUtils is deprecated EnvironmentTestUtils is deprecated java warning Spring BootSpring
RestTemplateBuilder#requestFactory(ClientHttpRequestFactory) is deprecated RestTemplateBuilder#requestFactory(ClientHttpRequestFactory) is deprecated java error Spring BootSpring
Session configuration: Cookies: Configure HttpOnly flag Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true java error Springsecurityframework specificwebSpring BootOWASP Top 10
Session configuration: Cookies: Configure Secure flag Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true java error Springsecurityframework specificwebSpring BootOWASP Top 10
Session configuration: Cookies: Set HttpOnly flag to true Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true java error Springsecurityframework specificwebSpring BootOWASP Top 10
Session configuration: Cookies: Set Secure flag to true Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true java error Springsecurityframework specificwebSpring BootOWASP Top 10
Spring recommendation: @(Rest)Controller, @Service, @Repository should be singletons Classes annotated with @(Rest)Controller, @Service, @Repository should have a singleton scope java warning webframework specificSpring BootSpringquality
Spring/Core
Field injection is not recommended Field injection is not recommended, because the list of required dependencies are unclear during instance creation. This makes testing more difficult and could lead to runtime exceptions when the bean is instantiated without spring. javakotlin info SpringSpring Coredependency injectionframework specificquality
Field injection is not recommended (lombok) Field injection is not recommended, because the list of required dependencies are unclear during instance creation. This makes testing more difficult and could lead to runtime exceptions when the bean is instantiated without spring. javakotlin info SpringSpring Coredependency injectionframework specificLombokquality
Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser) Could lead to Spring Expression Language Injection java error expression languageSpringSpring Coresecurityframework specificinjectionOWASP Top 10
Spring/Data
Missing annotation in update query Queries performing write operations should have the @Modifying annotation. java error Springframework specificSpring Dataquality
Spring/Data/JDBC
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: Two parameters Could lead to JDBC Injection java error SpringsecuritySpring Dataframework specificinjectionSQLOWASP Top 10
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter Could lead to JDBC Injection java error SpringsecuritySpring Dataframework specificinjectionSQLOWASP Top 10
Spring/Security
Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided. java warning SpringsecuritySpring MVCSpring Securityaccess control
Authentication: Username Enumeration: avoid UsernameNotFoundException Avoid throwing a UsernameNotFoundException as it could lead to username enumeration java warning Springsecurityframework specificwebSpring SecurityOWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true Prevent enumeration by not throwing an exception that reveals the existence of the username java warning Springsecurityframework specificwebSpring SecurityOWASP Top 10
Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions() Disabling Spring Security default headers makes the application vulnerable to clickjackin java warning Springsecurityframework specificwebSpring SecurityClickjackingOWASP Top 10
Security Misconfiguration: Content sniffing protection Prevent MIME sniffing by disabling contentTypeOptions java error Springsecurityframework specificwebSpring SecurityOWASP Top 10
Security Misconfiguration: Disabled Headers Disabling Spring Security's default headers makes the application vulnerable java warning Springsecurityframework specificwebSpring SecurityOWASP Top 10
Security Misconfiguration: EnableWebSecurity with Debug enabled The debug parameter on EnableWebSecurity should not be hardcoded to true java warning Springsecurityframework specificwebSpring SecurityOWASP Top 10
Spring Security: race condition: SecurityContextHolder.getContext.setAuthentication It is important to create a new SecurityContext instance to avoid race conditions across multiple threads. java error Springsecurityframework specificwebSpring Security
Spring/Security/CORS
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin Avoid enabling CORS, or configure it as strictly as possible java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials Allowing credentials makes the application more vulnerable java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowedHeaders Allowing all headers makes the application vulnerable java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - exposedHeaders Exposing all headers makes the application vulnerable java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - maxAge A value over 30 minutes is considered prolonged and likely to reduce security java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - methods Allowing unsafe methods puts the application at risk java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - origins Allowing all origins makes the application vulnerable to scripts from any domain java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowCredentials Allowing credentials makes the application more vulnerable java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedHeaders Allowing all headers makes the application vulnerable java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedMethods Allowing unsafe methods puts the application at risk java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins Allowing all origins makes the application vulnerable to scripts from any domain java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#exposedHeaders Exposing all headers makes the application vulnerable java warning Springsecurityframework specificwebSpring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge A value over 30 minutes is considered prolonged and likely to reduce security java warning Springsecurityframework specificwebSpring Security
Spring/Security/CSRF
CSRF: Disabled CSRF protection (AbstractHttpConfigurer) Disabling Spring Security's CSRF protection makes the application vulnerable java error Springsecurityframework specificwebSpring SecurityCSRFOWASP Top 10
CSRF: Disabled CSRF protection (HttpSecurity) Disabling Spring Security's CSRF protection makes the application vulnerable java error Springsecurityframework specificwebSpring SecurityCSRFOWASP Top 10
Security Misconfiguration: Disabled Security Settings: CookieCsrfTokenRepository#withHttpOnlyFalse Make sure to set HttpOnly to true to protect against CSRF or remove it java error Springsecurityframework specificwebSpring SecurityCSRFOWASP Top 10
Spring/Security/Encryptors
Avoid hardcoded secrets when using the Encryptors class Using the Encryptors class in combination with hardcoded secrets is security sensitive java error Springsecurityframework specificSpring Security
Encryptors requires the use of a random 8-byte salt The salt should be random, 8-bytes and in hex-encoded String java error Springsecurityframework specificSpring Security
Use .delux() for a 'stronger' password-based encryption Encryptors.delux() uses a 'stronger' password-based encryption java warning Springsecurityframework specificSpring Security
Use .stronger() for a more secure alternative Encryptors.stronger() is more secure than Encryptors.standard() java warning Springsecurityframework specificSpring Security
Spring/Security/HTTPS
Secure Transport: use RequiresSecure to enforce HTTPS Serve requests over HTTPS instead of unencrypted HTTP java error Springsecurityframework specificwebSpring SecurityOWASP Top 10
Secure Transport: use RequiresSecure to enforce HTTPS on all paths Enforce HTTPS on all requests, not just on a selected number java warning Springsecurityframework specificwebSpring SecurityOWASP Top 10
Security Misconfiguration: Disable Security Features - HSTS Enforce HSTS protection against vulnerabilities over HTTP java error Springsecurityframework specificwebSpring SecurityOWASP Top 10
Security Misconfiguration: HSTS - includeSubDomains Include subdomains in the HSTS domain java error Springsecurityframework specificwebSpring SecurityOWASP Top 10
Should use requiresSecure Use of HTTP instead of HTTPS is insecure java error Springsecurityframework specificwebSpring SecurityOWASP Top 10
Spring/Security/PasswordEncoders
Avoid hardcoded secrets when using password encoders Using passwordencoders in combination with hardcoded secrets is security sensitive java error Springsecurityframework specificSpring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Do not use NoOpPasswordEncoder Could lead to data exposure java error Springsecurityframework specificSpring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms Could lead to data exposure java error securityframework specificSpringSpring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms Could lead to data exposure java error Springsecurityframework specificSpring Security
Spring Security recommends DelegatingPasswordEncoder for best practices DelegatingPasswordEncoder allows more flexibility when using several encoders, for code changes, and for migrating java info Springsecurityframework specificSpring Security
Spring Security recommends DelegatingPasswordEncoder for best practices (BCrypt) DelegatingPasswordEncoder allows more flexibility when using several encoders, for code changes, and for migrating java info Springsecurityframework specificSpring Security
Spring Security recommends DelegatingPasswordEncoder for best practices (Bean - BCrypt) DelegatingPasswordEncoder allows more flexibility when using several encoders, for code changes, and for migrating javakotlin info Springsecurityframework specificSpring Security
Spring Security recommends DelegatingPasswordEncoder for best practices (Bean) DelegatingPasswordEncoder allows more flexibility when using several encoders, for code changes, and for migrating javakotlin info Springsecurityframework specificSpring Security
Spring/Security/Session
Protect against Session Fixation attacks Spring Security's default protection against Session Fixation is disabled, which means an attacker could hijack a valid user session java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: Prevent session from being included in the URL Do not use URL Parameters for session tracking java warning Springsecurityframework specificSpring Securityweb
Session Configuration: Invalidate the HttpSession after logout Delete all sessions after logout java warning Springsecurityframework specificSpring Securityweb
Spring/Security/StrictHttpFirewall
Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (instance creation) Using DefaultHttpFirewall may lead to security flaws java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (method return type) Using DefaultHttpFirewall may lead to security flaws javakotlin warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: HTTP method validation Not allowing just any HTTP method is more secure java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject (URL encoded) backslash Rejecting the use of a (URL encoded) backslash is more secure java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject (URL encoded) null Rejecting the use of a (URL encoded) null is more secure java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded double slash Rejecting the use of a URL encoded double slash in the URL is more secure java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded percent Rejecting the use of a URL encoded percent in the URL is more secure java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded period Rejecting the use of a URL encoded period is more secure java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded slash Rejecting the use of a URL encoded slash is more secure java warning Springsecurityframework specificSpring Securityweb
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject semicolon Rejecting semicolons is more secure java warning Springsecurityframework specificSpring Securityweb
Spring/Security/XSS
Security Misconfiguration: XSS protection: Add CSP header - XXssConfig Add a CSP header for additional protection agains XSS and data injection java info Springsecurityframework specificSpring SecuritywebXSSOWASP Top 10
Security Misconfiguration: XSS protection: Add CSP header - xssProtection Add a CSP header for additional protection agains XSS and data injection java info Springsecurityframework specificSpring SecuritywebXSSOWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - block() Protection against XSS is better done by blocking the content instead of filtering it java warning Springsecurityframework specificSpring SecuritywebXSSOWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - disable() Do not disable Spring Security's built-in XSS protection java warning Springsecurityframework specificSpring SecuritywebXSSOWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - xssProtectionEnabled() Do not disable Spring Security's built-in XSS protection java warning Springsecurityframework specificSpring SecuritywebXSSOWASP Top 10
Spring/Web
Avoid mapping to multiple HTTP request methods Map to one HTTP request method for best practices java info Springframework specificwebSpring Webquality
Missing annotation in controller class This class is missing a @Controller or @RestController annotation java error Springframework specificwebSpring Webquality
Non-annotated controller public method Public methods within a controller class should be treated as request handlers, therefore should be annotated as such. If you really believe this method should not be exposed as a Rest endpoint, please consider extracting it into an external Component class and call it from inside this controller. java warning Springframework specificwebSpring Webquality
Session management: Avoid CSRF: Use narrow mapping for state-changing methods Non-specified RequestMapping method will map to any HTTP request java error Springsecurityframework specificwebSpring WebCSRF
Suffix Matching: UseRegisteredSuffixPatternMatch set to false to prevent suffix pattern matching Prevent suffix pattern matching by setting UseRegisteredSuffixPatternMatch to false java warning Springsecurityframework specificwebSpring Web
Suffix Matching: UseSuffixPatternMatch set to false to prevent suffix pattern matching Prevent suffix pattern matching by setting UseSuffixPatternMatching to false java warning Springsecurityframework specificwebSpring Web
Use composed requestmapping annotations Improve readability by using Spring's composed annotations java info Springframework specificwebSpring Webquality
Use requestMapping on public methods RequestMapping should not be used on non-public methods java warning Springframework specificwebSpring Webquality
Spring/Web/Cookies
Session configuration: Cookies: Configure Secure flag Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true java error Springsecurityframework specificwebSpring WebOWASP Top 10
Session configuration: Cookies: Set HttpOnly flag to true Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true java error Springsecurityframework specificwebSpring WebOWASP Top 10
Session configuration: Cookies: Set Secure flag to true Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true java error Springsecurityframework specificwebSpring WebOWASP Top 10
Spring/XML
Injection: XXE: Jaxb2Marshaller#setProcessExternalEntities set to true Prevent XXE by disabling the processing of external entities java error SpringsecurityXXEframework specificSpring XMLOWASP Top 10
Injection: XXE: Jaxb2Marshaller#setSupportDtd set to true Prevent XXE by disabling DTDs java error SpringsecurityXXEframework specificSpring XMLOWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setProcessExternalEntities set to true Prevent XXE by disabling the processing of External Entities java error SpringsecurityXXEframework specificSpring XMLOWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setSupportDtd set to true Prevent XXE by disabling DTDs java error SpringsecurityXXEframework specificSpring XMLOWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setProcessExternalEntities set to true Prevent XXE by disabling the processing of External Entities java error SpringsecurityXXEframework specificSpring XMLOWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setSupportDtd set to true Prevent XXE by disabling DTDs java error SpringsecurityXXEframework specificSpring XMLOWASP Top 10
Input Validation: Avoid XXE: Use automatically protected source types Could lead to XXE java error SpringsecurityXXEframework specificSpring XMLOWASP Top 10
Markdown badge:
View on Github