Explore
26-50 of 91
Input Validation: Avoid XXE: Use automatically protected source types
Could lead to XXE
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
MongoDB: _id NoSQL Injection
Do not use string concatenation in where filters
- error
- java
- security
- NoSQL
- framework specific
- MongoDB
- injection
- OWASP Top 10
Regex Injection
Use Pattern#quote to include untrusted input in regexes.
- error
- java
- security
- SEI CERT
- Java basic
- injection
- OWASP Top 10
Secure Transport: use RequiresSecure to enforce HTTPS
Serve requests over HTTPS instead of unencrypted HTTP
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Secure Transport: use RequiresSecure to enforce HTTPS on all paths
Enforce HTTPS on all requests, not just on a selected number
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()
Disabling Spring Security default headers makes the application vulnerable to clickjackin
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- Clickjacking
- OWASP Top 10
Security Misconfiguration: Content sniffing protection
Prevent MIME sniffing by disabling contentTypeOptions
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: Disabled Headers
Disabling Spring Security's default headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: Disabled Security Settings: CookieCsrfTokenRepository#withHttpOnlyFalse
Make sure to set HttpOnly to true to protect against CSRF or remove it
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
Security Misconfiguration: Disable Security Features - HSTS
Enforce HSTS protection against vulnerabilities over HTTP
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: EnableWebSecurity with Debug enabled
The debug parameter on EnableWebSecurity should not be hardcoded to true
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: HSTS - includeSubDomains
Include subdomains in the HSTS domain
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: XSS protection: Add CSP header - xssProtection
Add a CSP header for additional protection agains XSS and data injection
- info
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Security Misconfiguration: XSS protection: Add CSP header - XXssConfig
Add a CSP header for additional protection agains XSS and data injection
- info
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - block()
Protection against XSS is better done by blocking the content instead of filtering it
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - disable()
Do not disable Spring Security's built-in XSS protection
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Security Misconfiguration: XSS protection: Disabled Header - xssProtectionEnabled()
Do not disable Spring Security's built-in XSS protection
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Session configuration: Cookie: Configure HttpOnly flag
Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true
- error
- java
- security
- web
- OWASP Top 10
Session configuration: Cookies: Configure HttpOnly flag
Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true
- error
- java
- security
- web
- Apache Shiro
- OWASP Top 10
Session configuration: Cookies: Configure HttpOnly flag
Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true
- error
- java
- Spring
- security
- framework specific
- web
- Spring Boot
- OWASP Top 10
Session configuration: Cookies: Configure Secure flag
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
- error
- java
- security
- web
- Apache Shiro
- OWASP Top 10
Session configuration: Cookies: Configure Secure flag
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
- error
- java
- Spring
- security
- framework specific
- web
- Spring Web
- OWASP Top 10
Session configuration: Cookies: Configure Secure flag
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
- error
- java
- security
- web
- OWASP Top 10
Session configuration: Cookies: Configure Secure flag
Prevent a cookie being sent over unencrypted HTTP by setting the Secure flag to true
- error
- java
- Spring
- security
- framework specific
- web
- Spring Boot
- OWASP Top 10
Session configuration: Cookies: Set HttpOnly flag to true
Prevent client-side scripts from accessing the cookie by setting the HttpOnly flag to true
- error
- java
- Spring
- security
- framework specific
- web
- Spring Web
- OWASP Top 10