Explore
1-25 of 79
Authentication: Username Enumeration: avoid UsernameNotFoundException
Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true
Prevent enumeration by not throwing an exception that reveals the existence of the username
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Avoid mapping to multiple HTTP request methods
Map to one HTTP request method for best practices
- info
- java
- Spring
- framework specific
- web
- Spring Web
- quality
Code quality: Do not add @Scope("singleton") on a Spring (rest)controller, service or repository
Adding @Scope("singleton") is redundant
- info
- java
- web
- framework specific
- Spring Boot
- Spring
- quality
CSRF: Disabled CSRF protection (AbstractHttpConfigurer)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
CSRF: Disabled CSRF protection (HttpSecurity)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
Email: Disabled SSL on Connect
When sending an email, SSL has been disabled on connection
- error
- java
- security
- Apache Commons
- web
- OWASP Top 10
Email: Disabled SSL Server Identity check
When sending an email, the setSSLCheckServerIdentity has been set to false
- error
- java
- security
- Apache Commons
- web
- OWASP Top 10
Missing annotation in controller class
This class is missing a @Controller or @RestController annotation
- error
- java
- Spring
- framework specific
- web
- Spring Web
- quality
Non-annotated controller public method
Public methods within a controller class should be treated as request handlers, therefore should be annotated as such. If you really believe this method should not be exposed as a Rest endpoint, please consider extracting it into an external Component class and call it from inside this controller.
- warning
- java
- Spring
- framework specific
- web
- Spring Web
- quality
Protect against Session Fixation attacks
Spring Security's default protection against Session Fixation is disabled, which means an attacker could hijack a valid user session
- warning
- java
- Spring
- security
- framework specific
- Spring Security
- web
Secure Transport: use RequiresSecure to enforce HTTPS
Serve requests over HTTPS instead of unencrypted HTTP
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Secure Transport: use RequiresSecure to enforce HTTPS on all paths
Enforce HTTPS on all requests, not just on a selected number
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()
Disabling Spring Security default headers makes the application vulnerable to clickjackin
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- Clickjacking
- OWASP Top 10
Security Misconfiguration: Content sniffing protection
Prevent MIME sniffing by disabling contentTypeOptions
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowCredentials
Allowing credentials makes the application more vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedHeaders
Allowing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedMethods
Allowing unsafe methods puts the application at risk
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#allowedOrigins
Allowing all origins makes the application vulnerable to scripts from any domain
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#exposedHeaders
Exposing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: CorsRegistry#maxAge
A value over 30 minutes is considered prolonged and likely to reduce security
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin
Avoid enabling CORS, or configure it as strictly as possible
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowCredentials
Allowing credentials makes the application more vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - allowedHeaders
Allowing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
Security Misconfiguration: CORS: Avoid broad settings: @CrossOrigin - exposedHeaders
Exposing all headers makes the application vulnerable
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security