Could lead to XXE

• error
• java
• Spring
• security
• XXE
• framework specific
• Spring XML
• OWASP Top 10

This class is missing a @Controller or @RestController annotation

• error
• java
• Spring
• framework specific
• web
• Spring Web
• quality

Queries performing write operations should have the @Modifying annotation.

• error
• java
• Spring
• framework specific
• Spring Data
• quality

Public methods within a controller class should be treated as request handlers, therefore should be annotated as such. If you really believe this method should not be exposed as a Rest endpoint, please consider extracting it into an external Component class and call it from inside this controller.

• warning
• java
• Spring
• framework specific
• web
• Spring Web
• quality

Spring Security's default protection against Session Fixation is disabled, which means an attacker could hijack a valid user session

• warning
• java
• Spring
• security
• framework specific
• Spring Security
• web

RestTemplateBuilder#requestFactory(ClientHttpRequestFactory) is deprecated

• error
• java
• Spring Boot
• Spring

Serve requests over HTTPS instead of unencrypted HTTP

• error
• java
• Spring
• security
• framework specific
• web
• Spring Security
• OWASP Top 10

Enforce HTTPS on all requests, not just on a selected number

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security
• OWASP Top 10

Disabling Spring Security default headers makes the application vulnerable to clickjackin

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security
• Clickjacking
• OWASP Top 10

Prevent MIME sniffing by disabling contentTypeOptions

• error
• java
• Spring
• security
• framework specific
• web
• Spring Security
• OWASP Top 10

Allowing credentials makes the application more vulnerable

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Allowing all headers makes the application vulnerable

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Allowing unsafe methods puts the application at risk

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Allowing all origins makes the application vulnerable to scripts from any domain

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Exposing all headers makes the application vulnerable

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

A value over 30 minutes is considered prolonged and likely to reduce security

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Avoid enabling CORS, or configure it as strictly as possible

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Allowing credentials makes the application more vulnerable

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Allowing all headers makes the application vulnerable

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Exposing all headers makes the application vulnerable

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

A value over 30 minutes is considered prolonged and likely to reduce security

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Allowing unsafe methods puts the application at risk

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Allowing all origins makes the application vulnerable to scripts from any domain

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security

Disabling Spring Security's default headers makes the application vulnerable

• warning
• java
• Spring
• security
• framework specific
• web
• Spring Security
• OWASP Top 10

Make sure to set HttpOnly to true to protect against CSRF or remove it

• error
• java
• Spring
• security
• framework specific
• web
• Spring Security
• CSRF
• OWASP Top 10