Spring Boot Security Standards
Priority: P0 (CRITICAL)
Implementation Guidelines
Configuration (Spring Security 6+)
- •Lambda DSL: ALWAYS use Lambda DSL (
.authorizeHttpRequests(auth -> ...)) for readability. - •SecurityFilterChain: Expose as
@Bean. Do not extendWebSecurityConfigurerAdapter. - •Statelessness: Enforce
SessionCreationPolicy.STATELESSfor REST APIs.
JWT Best Practices
- •Algorithm: Enforce
RS256orHS256. Rejectnonealgorithm explicitly in JWT configuration. - •Claims: Validate
iss,aud, andexpclaims. - •Tokens: Short-lived access tokens (15m), secure refresh tokens.
Hardening
- •CSRF: Disable for stateless APIs. Enable + Cookie for Browser Apps.
- •CORS: Explain allowed origins. NEVER use
*with credentials. - •Headers: Enable default headers (HSTS, Content-Type-Options).
Authorization
- •Method Security: Use
@EnableMethodSecurity. - •Annotations: Prefer
@PreAuthorizeover URL matching.
Anti-Patterns
- •Adapter Extension:
**No Adapter**: Use SecurityFilterChain bean. - •Chained Calls:
**No .and()**: Use Lambda DSL. - •Hardcoded Secrets:
**No Secrets**: Use Vault/Env. - •Legacy Matchers:
**No antMatchers**: Use requestMatchers.
References
Related Topics
common/security-standards | architecture