Explore

Filters (0) Clear filters
Languages
Level
Tags

1-25 of 79

Authentication: Username Enumeration: avoid UsernameNotFoundException

Avoid throwing a UsernameNotFoundException as it could lead to username enumeration

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true

Prevent enumeration by not throwing an exception that reveals the existence of the username

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Avoid mapping to multiple HTTP request methods

Map to one HTTP request method for best practices

  • info
  • java
  • Spring
  • framework specific
  • web
  • Spring Web
  • quality
Code quality: Do not add @Scope("singleton") on a Spring (rest)controller, service or repository

Adding @Scope("singleton") is redundant

  • info
  • java
  • web
  • framework specific
  • Spring Boot
  • Spring
  • quality
CSRF: Disabled CSRF protection (AbstractHttpConfigurer)

Disabling Spring Security's CSRF protection makes the application vulnerable

  • error
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • CSRF
  • OWASP Top 10
CSRF: Disabled CSRF protection (HttpSecurity)

Disabling Spring Security's CSRF protection makes the application vulnerable

  • error
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • CSRF
  • OWASP Top 10
Email: Disabled SSL on Connect

When sending an email, SSL has been disabled on connection

  • error
  • java
  • security
  • Apache Commons
  • web
  • email
  • OWASP Top 10
Email: Disabled SSL Server Identity check

When sending an email, the setSSLCheckServerIdentity has been set to false

  • error
  • java
  • security
  • Apache Commons
  • web
  • email
  • OWASP Top 10
Missing annotation in controller class

This class is missing a @Controller or @RestController annotation

  • error
  • java
  • Spring
  • framework specific
  • web
  • Spring Web
  • quality
Non-annotated controller public method

Public methods within a controller class should be treated as request handlers, therefore should be annotated as such. If you really believe this method should not be exposed as a Rest endpoint, please consider extracting it into an external Component class and call it from inside this controller.

  • warning
  • java
  • Spring
  • framework specific
  • web
  • Spring Web
  • quality
Protect against Session Fixation attacks

Spring Security's default protection against Session Fixation is disabled, which means an attacker could hijack a valid user session

  • warning
  • java
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
Secure Transport: use RequiresSecure to enforce HTTPS

Serve requests over HTTPS instead of unencrypted HTTP

  • error
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Secure Transport: use RequiresSecure to enforce HTTPS on all paths

Enforce HTTPS on all requests, not just on a selected number

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()

Disabling Spring Security default headers makes the application vulnerable to clickjackin

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • Clickjacking
  • OWASP Top 10
Security Misconfiguration: Content sniffing protection

Prevent MIME sniffing by disabling contentTypeOptions

  • error
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowCredentials

Allowing credentials makes the application more vulnerable

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedHeaders

Allowing all headers makes the application vulnerable

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedMethods

Allowing unsafe methods puts the application at risk

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins

Allowing all origins makes the application vulnerable to scripts from any domain

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#exposedHeaders

Exposing all headers makes the application vulnerable

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge

A value over 30 minutes is considered prolonged and likely to reduce security

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin

Avoid enabling CORS, or configure it as strictly as possible

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials

Allowing credentials makes the application more vulnerable

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowedHeaders

Allowing all headers makes the application vulnerable

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - exposedHeaders

Exposing all headers makes the application vulnerable

  • warning
  • java
  • Spring
  • security
  • framework specific
  • web
  • Spring Security