Explore
1-25 of 91
Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns
When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.
- warning
- java
- Spring
- security
- Spring MVC
- Spring Security
- access control
Authentication: Username Enumeration: avoid UsernameNotFoundException
Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true
Prevent enumeration by not throwing an exception that reveals the existence of the username
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Avoid hardcoded secrets when using password encoders
Using passwordencoders in combination with hardcoded secrets is security sensitive
- error
- java
- Spring
- security
- framework specific
- Spring Security
Avoid hardcoded secrets when using the Encryptors class
Using the Encryptors class in combination with hardcoded secrets is security sensitive
- error
- java
- Spring
- security
- framework specific
- Spring Security
Avoid mapping to multiple HTTP request methods
Map to one HTTP request method for best practices
- info
- java
- Spring
- framework specific
- web
- Spring Web
- quality
Code quality: Do not add @Scope("singleton") on a Spring (rest)controller, service or repository
Adding @Scope("singleton") is redundant
- info
- java
- web
- framework specific
- Spring Boot
- Spring
- quality
CSRF: Disabled CSRF protection (AbstractHttpConfigurer)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
CSRF: Disabled CSRF protection (HttpSecurity)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
Data Protection: Secure Data Storage: Avoid Data Exposure: Do not use NoOpPasswordEncoder
Could lead to data exposure
- error
- java
- Spring
- security
- framework specific
- Spring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms
Could lead to data exposure
- error
- java
- security
- framework specific
- Spring
- Spring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms
Could lead to data exposure
- error
- java
- Spring
- security
- framework specific
- Spring Security
Encryptors requires the use of a random 8-byte salt
The salt should be random, 8-bytes and in hex-encoded String
- error
- java
- Spring
- security
- framework specific
- Spring Security
EnvironmentTestUtils is deprecated
EnvironmentTestUtils is deprecated
- warning
- java
- Spring Boot
- Spring
Field injection is not recommended
Field injection is not recommended, because the list of required dependencies are unclear during instance creation. This makes testing more difficult and could lead to runtime exceptions when the bean is instantiated without spring.
- info
- java
- kotlin
- Spring
- Spring Core
- dependency injection
- framework specific
- quality
Field injection is not recommended (lombok)
Field injection is not recommended, because the list of required dependencies are unclear during instance creation. This makes testing more difficult and could lead to runtime exceptions when the bean is instantiated without spring.
- info
- java
- kotlin
- Spring
- Spring Core
- dependency injection
- framework specific
- Lombok
- quality
Injection: XXE: Jaxb2Marshaller#setProcessExternalEntities set to true
Prevent XXE by disabling the processing of external entities
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: Jaxb2Marshaller#setSupportDtd set to true
Prevent XXE by disabling DTDs
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setProcessExternalEntities set to true
Prevent XXE by disabling the processing of External Entities
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setSupportDtd set to true
Prevent XXE by disabling DTDs
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setProcessExternalEntities set to true
Prevent XXE by disabling the processing of External Entities
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setSupportDtd set to true
Prevent XXE by disabling DTDs
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter
Could lead to JDBC Injection
- error
- java
- Spring
- security
- Spring Data
- framework specific
- injection
- SQL
- OWASP Top 10
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: Two parameters
Could lead to JDBC Injection
- error
- java
- Spring
- security
- Spring Data
- framework specific
- injection
- SQL
- OWASP Top 10
Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser)
Could lead to Spring Expression Language Injection
- error
- java
- expression language
- Spring
- Spring Core
- security
- framework specific
- injection
- OWASP Top 10