Explore
1-25 of 59
Access Control: MvcRequestMatcher is more secure than AntPathRequestMatcher for Spring MVC patterns
When using Spring MVC it's recommended to use MvcRequestMatcher as it protects the paths Spring annotations will match on, instead of only the one provided.
- warning
- java
- Spring
- security
- Spring MVC
- Spring Security
- access control
Authentication: Username Enumeration: avoid UsernameNotFoundException
Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true
Prevent enumeration by not throwing an exception that reveals the existence of the username
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Avoid hardcoded secrets when using password encoders
Using passwordencoders in combination with hardcoded secrets is security sensitive
- error
- java
- Spring
- security
- framework specific
- Spring Security
Avoid hardcoded secrets when using the Encryptors class
Using the Encryptors class in combination with hardcoded secrets is security sensitive
- error
- java
- Spring
- security
- framework specific
- Spring Security
CSRF: Disabled CSRF protection (AbstractHttpConfigurer)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
CSRF: Disabled CSRF protection (HttpSecurity)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
Data Protection: Secure Data Storage: Avoid Data Exposure: Do not use NoOpPasswordEncoder
Could lead to data exposure
- error
- java
- Spring
- security
- framework specific
- Spring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms
Could lead to data exposure
- error
- java
- security
- framework specific
- Spring
- Spring Security
Data Protection: Secure Data Storage: Avoid Data Exposure: Hash passwords using strong hashing algorithms
Could lead to data exposure
- error
- java
- Spring
- security
- framework specific
- Spring Security
Encryptors requires the use of a random 8-byte salt
The salt should be random, 8-bytes and in hex-encoded String
- error
- java
- Spring
- security
- framework specific
- Spring Security
Protect against Session Fixation attacks
Spring Security's default protection against Session Fixation is disabled, which means an attacker could hijack a valid user session
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Secure Transport: use RequiresSecure to enforce HTTPS
Serve requests over HTTPS instead of unencrypted HTTP
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Secure Transport: use RequiresSecure to enforce HTTPS on all paths
Enforce HTTPS on all requests, not just on a selected number
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()
Disabling Spring Security default headers makes the application vulnerable to clickjackin
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- Clickjacking
- OWASP Top 10
Security Misconfiguration: Content sniffing protection
Prevent MIME sniffing by disabling contentTypeOptions
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowCredentials
Allowing credentials makes the application more vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedHeaders
Allowing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedMethods
Allowing unsafe methods puts the application at risk
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins
Allowing all origins makes the application vulnerable to scripts from any domain
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#exposedHeaders
Exposing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge
A value over 30 minutes is considered prolonged and likely to reduce security
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin
Avoid enabling CORS, or configure it as strictly as possible
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials
Allowing credentials makes the application more vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowedHeaders
Allowing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security