Apply Spring Boot security best practices for authentication, authorization, and service hardening.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "springboot-security" skill from askskill: 1. Download https://raw.githubusercontent.com/affaan-m/ECC/main/skills/springboot-security/SKILL.md 2. Save it as ~/.claude/skills/springboot-security/SKILL.md 3. Reload skills and tell me it's ready
Design a Spring Security setup for a Spring Boot REST API including JWT authentication, role-based authorization, password storage, login failure throttling, and provide recommended configuration with code examples.
A secure configuration plan with filter chain design, auth rules, password hashing guidance, and sample code.
Review the following Spring Boot security configuration, identify risks in authentication, CSRF, request validation, security headers, secret management, and dependency versions, then provide prioritized fixes.
A prioritized list of security issues with remediation steps and best-practice recommendations.
I am deploying a Spring Boot service. Give me a security hardening checklist covering rate limiting, CORS, HTTP security headers, input validation, secrets management, dependency scanning, and audit logging.
An actionable deployment security checklist for systematically hardening a Spring Boot service in production.
Use when adding auth, handling input, creating endpoints, or dealing with secrets.
httpOnly, Secure, SameSite=Strict cookies for sessionsOncePerRequestFilter or resource server@Component
public class JwtAuthFilter extends OncePerRequestFilter {
private final JwtService jwtService;
public JwtAuthFilter(JwtService jwtService) {
this.jwtService = jwtService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String header = request.getHeader(HttpHeaders.AUTHORIZATION);
if (header != null && header.startsWith("Bearer ")) {
String token = header.substring(7);
Authentication auth = jwtService.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
}
chain.doFilter(request, response);
}
}
@EnableMethodSecurity@PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("@authz.canEdit(#id)")@RestController
@RequestMapping("/api/admin")
public class AdminController {
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/users")
public List<UserDto> listUsers() {
return userService.findAll();
}
@PreAuthorize("@authz.isOwner(#id, authentication)")
@DeleteMapping("/users/{id}")
public ResponseEntity<Void> deleteUser(@PathVariable Long id) {
userService.delete(id);
return ResponseEntity.noContent().build();
}
}
@Valid on controllers@NotBlank, @Email, @Size, custom validators// BAD: No validation
@PostMapping("/users")
public User createUser(@RequestBody UserDto dto) {
return userService.create(dto);
}
// GOOD: Validated DTO
public record CreateUserDto(
@NotBlank @Size(max = 100) String name,
@NotBlank @Email String email,
@NotNull @Min(0) @Max(150) Integer age
) {}
@PostMapping("/users")
public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) {
return ResponseEntity.status(HttpStatus.CREATED)
.body(userService.create(dto));
}
:param bindings; never concatenate strings// BAD: String concatenation in native query
@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)
// GOOD: Parameterized native query
@Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true)
List<User> findByName(@Param("name") String name);
// GOOD: Spring Data derived query (auto-parameterized)
List<User> findByEmailAndActiveTrue(String email);
PasswordEncoder bean, not manual hashing@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12); // cost factor 12
}
// In service
public User register(CreateUserDto dto) {
String hashedPassword = passwordEncoder.encode(dto.password());
return userRepository.save(new User(dto.email(), hashedPassword));
}
…
Conduct multi-source web research and produce cited, source-attributed reports.
Audit, plan, and implement SEO improvements for better search visibility.
Unify multi-channel notifications for routing, deduplication, escalation, and inbox consolidation.
Fetches up-to-date framework docs for setup, APIs, and code examples.
Refine retrieved context iteratively to improve subagent understanding and output quality.
Design adaptive agent workflows with eval gates and reusable skill extraction.
Apply Django security best practices for safer auth, app defenses, and deployment.
Run pre-release verification for Spring Boot builds, tests, scans, and diffs.
Apply Laravel security best practices for auth, vulnerabilities, APIs, and deployment.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.
Generate Spring Boot code, audit security, and optimize application queries.
Review Python, JS/TS, and Go code for security best practices.