Explore
226-250 of 371
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowedHeaders
Allowing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - exposedHeaders
Exposing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - maxAge
A value over 30 minutes is considered prolonged and likely to reduce security
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - methods
Allowing unsafe methods puts the application at risk
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - origins
Allowing all origins makes the application vulnerable to scripts from any domain
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: Disabled Headers
Disabling Spring Security's default headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: EnableWebSecurity with Debug enabled
The debug parameter on EnableWebSecurity should not be hardcoded to true
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: Prevent session from being included in the URL
Do not use URL Parameters for session tracking
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (instance creation)
Using DefaultHttpFirewall may lead to security flaws
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Avoid DefaultHttpFirewall (method return type)
Using DefaultHttpFirewall may lead to security flaws
- warning
- java
- kotlin
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: HTTP method validation
Not allowing just any HTTP method is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject semicolon
Rejecting semicolons is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject (URL encoded) backslash
Rejecting the use of a (URL encoded) backslash is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded double slash
Rejecting the use of a URL encoded double slash in the URL is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject (URL encoded) null
Rejecting the use of a (URL encoded) null is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded percent
Rejecting the use of a URL encoded percent in the URL is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded period
Rejecting the use of a URL encoded period is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: StrictHttpFirewall: Rule configuration: Reject URL encoded slash
Rejecting the use of a URL encoded slash is more secure
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Security Misconfiguration: XSS protection: Disabled Header - block()
Protection against XSS is better done by blocking the content instead of filtering it
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - disable()
Do not disable Spring Security's built-in XSS protection
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - xssProtectionEnabled()
Do not disable Spring Security's built-in XSS protection
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Session Configuration: Invalidate the HttpSession after logout
Delete all sessions after logout
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Spring recommendation: @(Rest)Controller, @Service, @Repository should be singletons
Classes annotated with @(Rest)Controller, @Service, @Repository should have a singleton scope
- warning
- java
- web
- framework specific
- Spring Boot
- Spring
- quality
Storage best practices: deprecated operating mode
This operating mode has been deprecated
- warning
- java
- security
- framework specific
- mobile
- Android
String.format return value being ignored
A call to String.format is being made without the return value being used
- warning
- java
- Java basic
- quality