Sensei Logo Sensei Hub

Recipes

Explore

Filters (0) Clear filters
Languages
Level
Tags

1-25 of 288

Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns

When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.

  • warning
  • java
  • Spring
  • security
  • Spring MVC
  • Spring Security
  • access control
Android WebView best practices: Disable Content Access

Enabling content access in the webview could lead to misuse

  • error
  • java
  • security
  • framework specific
  • Android
  • mobile
  • Android security set
Android WebView best practices: Disable Content Access (setter)

Enabling content access in the webview could lead to misuse

  • error
  • java
  • security
  • framework specific
  • Android
  • mobile
  • Android security set
Android WebView best practices: Insecure mixed content mode

Insecure content may be allowed to be loaded by a secure origin

  • error
  • java
  • security
  • framework specific
  • Android
  • mobile
  • Android security set
Android WebView best practices: Insecure settings

Enabling this WebView setting has security implications

  • warning
  • java
  • security
  • framework specific
  • Android
  • mobile
  • Android security set
Android WebView best practices: Set mixed content mode

WebView setting with security implications

  • error
  • java
  • security
  • framework specific
  • Android
  • mobile
  • Android security set
Authentication: Username Enumeration: avoid UsernameNotFoundException

Avoid throwing a UsernameNotFoundException as it could lead to username enumeration

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true

Prevent enumeration by not throwing an exception that reveals the existence of the username

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Automatic region detection by AWS

AWS can automatically detect the region from the environment

  • marked_information
  • java
  • framework specific
  • AWS
  • quality
Avoid hardcoded secrets

Secrets should not be stored in code

  • error
  • java
  • security
  • framework specific
  • AWS
Avoid hardcoded secrets when using password encoders

Using passwordencoders in combination with hardcoded secrets is security sensitive

  • error
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
Avoid hardcoded secrets when using the Encryptors class

Using the Encryptors class in combination with hardcoded secrets is security sensitive

  • error
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
Avoid mapping to multiple HTTP request methods

Map to one HTTP request method for best practices

  • info
  • java
  • Spring
  • framework specific
  • web
  • Spring Web
  • quality
Code Injection: ExifInterface can lead to DoS or RCE

This text will be shown as a tooltip when code violates this recipe

  • error
  • java
  • security
  • framework specific
  • mobile
  • Android
Code Injection: Prevent use of CreatePackageContext

Do not use the createPackageContext to dynamically load code

  • warning
  • java
  • security
  • framework specific
  • mobile
  • Android
Code Injection: Prevent use of DexClassLoader

Do not use the DexClassLoader to dynamically load code

  • error
  • java
  • security
  • framework specific
  • mobile
  • Android
Code quality: Do not add @Scope("singleton") on a Spring (rest)controller, service or repository

Adding @Scope("singleton") is redundant

  • info
  • java
  • web
  • framework specific
  • Spring Boot
  • Spring
  • quality
Collections: Do not expose internal Lists

Do not expose an internal List as it is mutable. Return a copy or immutable view.

  • marked_information
  • java
  • security
  • Java basic
  • quality
Collections: Do not expose internal Sets

Do not expose an internal Set as it is mutable. Return a copy or immutable view.

  • marked_information
  • java
  • security
  • Java basic
  • quality
Command Injection: Untrusted data in ProcessBuilder command

This call to ProcessBuilder#command contains untrusted input. Consider sanitizing the untrusted input.

  • error
  • java
  • security
  • Java basic
  • injection
Command Injection: Untrusted data in ProcessBuilder command - Add

This call to ProcessBuilder#command contains untrusted input. Consider sanitizing the untrusted input.

  • error
  • java
  • security
  • Java basic
  • injection
Configuration - User Interface: Avoid Tapjacking: Add filterTouchesWhenObscured

Not setting filterTouchesWhenObscured to true allows adversaries to hijack users' taps.

  • warning
  • xml
  • security
  • framework specific
  • mobile
  • Android
Configuration - User Interface: Avoid Tapjacking: Enable filterTouchesWhenObscured

Setting filterTouchesWhenObscured to false allows adversaries to hijack users' taps.

  • warning
  • xml
  • security
  • mobile
  • framework specific
  • Android
Create private constructor for utility class (all fields/methods are static)

This utility class only contains static fields and methods. Consider protecting against accidental instantiation.

  • info
  • java
  • Java basic
  • quality
Crypto: Cipher: Insecure Asymmetric Cryptographic Algorithm

This cryptographic algorithm is not recommended

  • error
  • java
  • security
  • basic protection set