Ten Spring Boot security best practices

Working with Spring Boot and don’t know where to start when it comes to security? You need to worry no more! This cheatsheet proposes best practices on how developers and maintainers can improve their Spring Boot security.

Spring Boot is one of the most used frameworks in the Java ecosystem because it dramatically simplifies the development of Spring applications. For this reason, it would be wise of you to try and improve the overall security posture of your Spring Boot applications. And we are here to help you do just that.

This post was originally written in a blog post form, and in more detail, with Matt Raible, fellow Java Champion and Developer Advocate at Okta.

What is Spring Boot security?

Spring Boot security can mean different things. In general, it is adding the Spring Security framework to your Spring Boot web application by including the Spring Boot security starter dependency. Spring Security is an authentication and access-control framework and can be easily included in a Spring Boot application. On the other hand, Spring Boot security is more than just including the Spring Security framework. This cheatsheet focuses on the broader topic of Spring Boot security and how to secure your application created with Spring Boot.

Spring Boot security best practices

The following curated list will go beyond just introducing Spring Security for authentication and authorization in your Spring Boot application. It focuses on the broader Spring Boot security strategy and covers the following topic:

  1. Use HTTPS in production
  2. Test your dependencies and find Spring Boot vulnerabilities
  3. Enable CSRF protection
  4. Use a content security policy for Spring Boot XSS protection
  5. Use OpenID Connect for authentication
  6. Use password hashing
  7. Use the latest releases
  8. Store secrets securely
  9. Pen test your app
  10. Have your security team do a code review


1. Use HTTPS in production

TLS/SSL certificates used to be expensive, and HTTPS was considered slow. Machines have become much faster, solving the performance problem, and Let’s Encrypt provides free TLS certificates. These two developments have changed the game and caused TLS to become mainstream.

To force HTTPS in your Spring Boot app, you can extend WebSecurityConfigurerAdapter and require a secure connection.


public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

 protected void configure(HttpSecurity http) throws Exception {

Cloud providers can greatly simplify TLS certificates. Amazon Certificate Manager is exactly like Let’s Encrypt except it’s built into all of the AWS products/services by default. It lets you provision 100% free SSL certs and handles automatic renewal, etc., with literally zero effort/config. Heroku has Automated Certificate Management too.

2. Test your dependencies and find Spring Boot vulnerabilities

There’s a good chance you don’t know how many direct dependencies your application uses. It’s extremely likely you don’t know how many transitive dependencies your application uses. This is often true, despite dependencies making up the majority of your overall application and can contain Spring Boot security vulnerabilities. Attackers target open source dependencies more and more, as their reuse provides many victims for a malicious hacker. It’s important to ensure there are no known vulnerabilities in the entire dependency tree of your application.

3. Enable CSRF protection

Cross-Site Request Forgery is an attack that forces a user to execute unwanted actions in an application they’re currently logged into.

Spring Security has excellent CSRF support that’s on by default. If you’re using Spring MVC’s <form:form> tag or Thymeleaf and @EnableWebSecurity, the CSRF token will automatically be added as a hidden input field.  To make this part of your Spring Boot security strategy, you have to add the Spring Security starter as a dependency

If you’re using a JavaScript framework like Angular or React, you will need to configure the CookieCsrfTokenRepository so JavaScript can read the cookie.

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

   protected void configure(HttpSecurity http) throws Exception {

Spring Security automatically adds a secure flag to the XSRF-TOKEN cookie when the request happens over HTTPS. Spring Security doesn’t use the SameSite=strict flag for CSRF cookies, but it does when using Spring Session or WebFlux session handling.

4. Use a content security policy for Spring Boot XSS protection

Content Security Policy (CSP) is an added layer of security that helps mitigate XSS (cross-site scripting) and data injection attacks. To enable it, you need to configure your app to return a Content-Security-Policy header. You can also use a <meta http-equiv="Content-Security-Policy"> tag in your HTML page.

Spring Security provides a number of security headers by default. Spring Security does not add a CSP by default. You can enable the CSP header in your Spring Boot app using the configuration below.

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

   protected void configure(HttpSecurity http) throws Exception {
           .contentSecurityPolicy("script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/");

5. Use OpenID Connect for authentication

OpenID Connect (OIDC) is an OAuth 2.0 extension that provides user information. It adds an ID token in addition to an access token, as well as a /userinfo endpoint that you can get additional information from. It also adds an endpoint discovery feature and dynamic client registration.

The diagram below shows how OIDC works for authentication.

spring boot security OIDC authentication code flow

6. Use password hashing

Storing passwords in plain text is one of the worst things you can do for the security of your app. Luckily, Spring Security doesn’t allow plain text passwords by default. It also ships with a crypto module you can use for symmetric encryption, key generation, and password hashing (a.k.a., password encoding).

PasswordEncoder is the main interface for password hashing in Spring Security and looks as follows:

public interface PasswordEncoder {
   String encode(String rawPassword);
   boolean matches(String rawPassword, String encodedPassword);

Spring Security provides several implementations, the most popular being BCryptPasswordEncoder and Pbkdf2PasswordEncoder.

7. Use the latest releases

There are various reasons to regularly upgrade the dependencies in your application. Security is one of the most important reasons that will give you the motivation to upgrade. The start.spring.io starter page uses the most recent versions of Spring packages as well as dependencies, where possible.

Infrastructure upgrades are often less disruptive than dependency upgrades, as library authors vary in their sensitivity to backward compatibility and behaviour changes between releases. That being said, you have three options when you find a security vulnerability in your configuration: Upgrade, Patch or Ignore. Upgrades are the safest, in terms of the overall health of your application, but often they’re not always an option. When this is the case, patches can eliminate vulnerabilities from your package, which you can often get from a security specialist. Ignoring a vulnerability is, of course, an option, but not a good one. Perhaps you know of a vulnerability, but do not believe it is directly exploitable. Keep in mind that it might not be in your application flow today, but at some point, a developer might add additional code that uses a vulnerable path.

8. Store secrets securely

As part of your Spring Boot security strategy, we also need to think about your data. Sensitive information such as passwords, access tokens, etc., should be handled with care. You cannot leave these around, pass them in plain text, or be predictable if keeping them in your local storage. As (GitHub) history has proved time and time again, developers do not think carefully enough about how they store their secrets.

A good practice is to store secrets in a vault that can be used to store, provide access to, and even generate credentials to services that your application may use. Vault by HashiCorp makes storing secrets trivial, as well as offering a number of additional services. You can also integrate with common authentication mechanisms such as LDAP to obtain tokens.

If this interests you, be sure to invest some time looking at the Spring Vault which adds an abstraction over the HashiCorp Vault, providing Spring annotation based access for clients, allowing them to access, store and revoke secrets without getting lost in the infrastructure. The following code snippet shows how easy it is to extract a password from the Spring Vault using an annotation.

String password;

9. Pen test your app

The OWASP ZAP security tool is a proxy that performs penetration testing against your live application at runtime. It’s a popular (over 4k stars) free, open source project that is hosted on GitHub.

Two approaches OWASP ZAP uses to find vulnerabilities are Spider and Active Scan. The Spider tool starts with a seed of URLs, which it will access and parse through each response, identifying hyperlinks and adding them to a list. It will then access these newly found URLs and recursively continue, creating a map of URLs for your web application. The Active Scan tool will automatically test your selected targets against a list of potential vulnerabilities. It provides you with a report that shows where your web application is exploitable, with details about the vulnerability.

10. Have your security team do a code review

Code reviews are essential for any high performing software development team. At Okta, all the production code and official open source projects are required to go through an analysis from our expert security team. You might not have security experts at your company, but if you’re dealing with sensitive data, maybe you should!

Be sure to download the Spring Boot Security cheat sheet and pin it up somewhere to remind you of some of the best practices you should follow if you’re a developer using Spring Boot in your applications.


How do I add security to Spring Boot?

When Adding Spring Security to your Spring Boot application begins with adding the security starter dependency.


By default, authentication is enabled when the starter dependency is included. You can configure the credentials by setting the properties spring.security.user.name and spring.security.user.password

How do I disable Spring Security in Spring Boot?

By default, Spring Security is enabled whenever you include the spring-boot-starter-security package. This can by easily disabled by excluding the SecurityAutoConfiguration in the application.properties file.


Seven Ways APIs, Microservices and DevOps Can Transform Your Business

Customer behaviors are rapidly changing, and organizations need to be agile to adapt to shifting business needs. Agility won’t come from simply implementing new technologies. Instead, organizations must focus on ways to increase their capacity for change. Read this eBook to learn about the advantages of APIs, microservices, and DevOps.

Read the below to learn:

  • The API economy and how it is igniting a cultural shift in businesses.
  • How APIs and microservices are not only becoming the norm in enterprises, but are also changing the role of IT.
  • Why DevOps and APIs deliver greater advantages and business value together, than they deliver individually.


API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other. Each time you use an app like Facebook, send an instant message, or check the weather on your phone, you’re using an API.

What Is an Example of an API?

When you use an application on your mobile phone, the application connects to the Internet and sends data to a server. The server then retrieves that data, interprets it, performs the necessary actions and sends it back to your phone. The application then interprets that data and presents you with the information you wanted in a readable way. This is what an API is – all of this happens via API.

To explain this better, let us take a familiar example.

Imagine you’re sitting at a table in a restaurant with a menu of choices to order from. The kitchen is the part of the “system” that will prepare your order. What is missing is the critical link to communicate your order to the kitchen and deliver your food back to your table. That’s where the waiter or API comes in. The waiter is the messenger – or API – that takes your request or order and tells the kitchen – the system – what to do. Then the waiter delivers the response back to you; in this case, it is the food.

Here is a real-life API example. You may be familiar with the process of searching flights online. Just like the restaurant, you have a variety of options to choose from, including different cities, departure and return dates, and more. Let us imagine that you’re booking you are flight on an airline website. You choose a departure city and date, a return city and date, cabin class, as well as other variables. In order to book your flight, you interact with the airline’s website to access their database and see if any seats are available on those dates and what the costs might be.

However, what if you are not using the airline’s website––a channel that has direct access to the information? What if you are using an online travel service, such as Kayak or Expedia, which aggregates information from a number of airline databases?

The travel service, in this case, interacts with the airline’s API. The API is the interface that, like your helpful waiter, can be asked by that online travel service to get information from the airline’s database to book seats, baggage options, etc. The API then takes the airline’s response to your request and delivers it right back to the online travel service, which then shows you the most updated, relevant information.

What an API Also Provides Is a Layer of Security

Your phone’s data is never fully exposed to the server, and likewise the server is never fully exposed to your phone. Instead, each communicates with small packets of data, sharing only that which is necessary—like ordering takeout. You tell the restaurant what you would like to eat, they tell you what they need in return and then, in the end, you get your meal.

APIs have become so valuable that they comprise a large part of many business’ revenue. Major companies like Google, eBay, Salesforce.com, Amazon, and Expedia are just a few of the companies that make money from their APIs. What the “API economy” refers to is this marketplace of APIs.

The Modern API

Over the years, what an “API” is has often described any sort of generic connectivity interface to an application. More recently, however, the modern API has taken on some characteristics that make them extraordinarily valuable and useful:

  • Modern APIs adhere to standards (typically HTTP and REST), that are developer-friendly, easily accessible and understood broadly
  • They are treated more like products than code. They are designed for consumption for specific audiences (e.g., mobile developers), they are documented, and they are versioned in a way that users can have certain expectations of its maintenance and lifecycle.
  • Because they are much more standardized, they have a much stronger discipline for security and governance, as well as monitored and managed for performance and scale
  • As any other piece of productized software, the modern API has its own software development lifecycle (SDLC) of designing, testing, building, managing, and versioning.  Also, modern APIs are well documented for consumption and versioning.

APIs and DevOps

Great alone, better together

Every enterprise recognizes the need to change the way they work to deal with today’s hypercompetitive business environment. That’s why DevOps has become so important to enterprise IT; a DevOps model increases reliability and minimizes disruption, with the added side benefit of increasing speed.

But that isn’t enough. DevOps must be balanced with a focus on asset consumption and reuse to make sure the organization is extracting maximum value out of all the newly built assets. And that’s where an API strategy comes in.

Read this whitepaper to discover:

  • The right way to create a DevOps model in your organization
  • How to use an API strategy called API-led connectivity to complement and enhance a DevOps model
  • How Anypoint Platform can help your organization get the most out of adopting DevOps

تثبيت وتجربة برنامج Whatsapp الجديد لنظام ويندوز الآن!

مع إن الهواتف الذكية اليوم تعتبر هي الطريقة الأساسية للتواصل وبالأخص بالنسبة لتطبيقات المحادثة، فالكثير من المستخدمين لا زالوا يفضلون استخدام النسخ المصممة للكمبيوتر من خدمات المحادثة الشهيرة متى توفرت. وباعتبار خدمة واتساب أصبحت متاحة للاستخدام على الكمبيوتر، فبالتأكيد يعتمد عدد كبير من الناس على موقع واتساب ويب أو برنامج واتساب دسكتوب.

بالنسبة لهذا الأخير، فالبرنامج متوفر لأجهزة ويندوز وماك منذُ فترة طويلة ولكنه مبني على منصة الكترون – Electron مما جعله ثقيل بعض الشيء على أجهزة الكمبيوتر محدودة الإمكانيات. لذلك قررت شركة ميتا (فيسبوك سابقًا) طرح برنامج جديد كليًا في محاولة لتحسين تجربة استخدام واتساب على نظام ويندوز، وتحديدًا إصدار ويندوز 10 و 11. التطبيق مازال في مرحلة تجريبية حاليًا ولكن يمكنك تحميله واختباره الآن.

البرنامج الجديد يُسمى WhatsApp (فقط) وتم تصميمه من الصفر بحيث يلائم البيئة الخاصة بنظام ويندوز، أي من ناحية التصميم فهو يختلف عن WhatsApp Desktop والذي يعُد نسخة متطابقة لخدمة WhatsApp Web. أما البرنامج الجديد فهو يستفيد من نهج التصميم المتبع في ويندوز 11 حيث الحواف الدائرية والخلفية الشفافة وغيرها. اما من الناحية الوظيفية، البرنامج يوفر كل المزايا الأساسية كإجراء محادثات الفيديو والصوت والقدرة على مشاركة الملفات مع مستخدمين آخرين، كما للبرنامج ميزة هامة جدًا وهي دعم الأجهزة المتعددة، بحيث يمكن استخدام واتساب على الكمبيوتر دون الحاجة إلى أن يكون الهاتف (المرتبط بالحساب) متصلًا بالإنترنت، وذلك على غرار البرامج الأخرى مثل Telegram Desktop.

صحيح البرنامج مازال تحت التطوير حتى لحظة تحرير هذه السطور، ولكن يستطيع أي شخص يستخدم أحدث إصدارات ويندوز 10 أو 11 على حاسوبه أن يجربه الآن دون أي مشكلة، فيمكنك البدء بتنزيله من متجر Microsoft Store. لكن باعتباره تجريبي فلن تعثر عليه بسهولة إذا بحثت عنه في المتجر بنفسك، بل عليك الانتقال إلى الرابط التالي ليتم توجيهك إلى صفحة البرنامج على المتجر مباشرًة وبعدها اضغط على زر “Get” لتنزيل وتثبيت البرنامج على جهازك. وللعلم، التطبيق يمكن تنزيله بدون حساب مايكروسوفت.


بمجرد تشغيل التطبيق لأول مرة ستظهر شاشة الترحيب فأضغط على “Get Started” وبعدها سيطلب منك تسجيل الدخول من خلال مسح رمز QR بواسطة تطبيق واتساب على الهاتف سواء كان آيفون أو أندرويد. لكن لاحظ أنه وعلى عكس برنامج WhatsApp Desktop فهذا البرنامج يشترط تفعيل خاصية الأجهزة المتعددة Multi-Device حتى يتم الاتصال.
لذلك، قم بفتح تطبيق WhatsApp ثم انقر على زر (  ) ومن القائمة اضغط على الأجهزة المرتبطة “Linked devices” ثم اضغط على إصدار تجريبي للأجهزة المتعددة “Multi-device beta” فقم بتفعيله من خلال النقر على زر الإنضمام للإصدار التجريبي “Join beta”.

بعد الانتهاء، ارجّع لصفحة الأجهزة المرتبطة “Linked devices” واضغط على خيار ربط جهاز “Link a device” لتقوم بمسح الكود الذي يظهر على شاشة الكمبيوتر ويتم تسجيل الدخول — الخطوات مماثلة على الآيفون.

بمجرد الانتهاء من ذلك، سترى الواجهة الرئيسية للبرنامج والتي تعرض جميع المحادثات الحالية بالإضافة إلى زر “Feedback” لإرسال انطباعاتك واقتراحاتك لمطوري التطبيق لتحسين التجربة قبل طرح الإصدار النهائي. لكن في العموم يمكنك البدء في استخدام البرنامج الآن، فقط اضغط على أي محادثة ليتم عرض الرسائل السابقة، كما تستطيع بدء مكالمة فيديو او صوت فقط. وإذا ضغطت على أيقونة (📎) داخل أي محادثة ستجد أن هناك خاصية جديدة تسمى Drawing تتيح لك رسم الصور ومشاركتها. هناك إضافات كثيرة في البرنامج سنتطرق لها في الفقرات التالية ولكن دعونا نسلط الضوء اولًا على أداء البرنامج.

خلال تجربتنا المختصرة، نستطيع القول أن أهم ميزة فعلًا لبرنامج WhatsApp تتمثل في تأثيره الخفيف على موارد الكمبيوتر، حيث يتفوق بشكل ملحوظ من حيث الأداء على نسخة WhatsApp Desktop فالبرنامج يعمل بسلاسة رغم أنه يتضمن التأثيرات البصرية الأكريليك المقدمة مع ويندوز 11 لتوفير تجربة غير تقليدية لأي شخص تعود على تصميم واتساب ويب.


ويمكن بسهولة اكتشاف فرق الأداء مع مراقبة استهلاك كلا البرنامجين في أداة Task Manager فقد قمنا بتسجيل الدخول باستخدام نفس الحساب على WhatsApp Desktop المبني على منصة Electron و WhatsApp Beta المبني على منصة UWP فكما هو واضح في الصورة، يستهلك برنامج واتساب الجديد رامات أقل بكثير. هذا بالإضافة إلى ان تأثيره يكاد يكون منعدم خلال العمل في الخلفية.


كما أشرنا، البرنامج يشمل بعض الإضافات الجديدة التي لم تكن تتوفر في نسخة WhatsApp Desktop مثل القدرة على تغيير نغمة الإشعارات للمحادثات الفردية أو المجموعات، فالبرنامج يأتي مع عدة نغمات يستطيع المستخدم اختيار المناسب منها. بالإضافة إلى إمكانية منع تنزيل الصور والمستندات تلقائيًا حتى لا يشكل البرنامج عبء على سعة التخزين المحدودة في الكمبيوتر، كما يتيح لك تغيير إعدادات الخصوصية للحساب والقدرة على حذف رسائل بالجملة من محادثات معينة أو كل المحادثات.


ومن الميزات الأخرى لهذا البرنامج القدرة على تلقي الإشعارات دون الحاجة إلى إبقاءه مفتوحًا طوال الوقت. هذه إضافة ملائمة لمساعدة المستخدمين على البقاء على اطلاع بكل الرسائل الجديدة أثناء استخدام البرامج أخرى. يمكنك حتى رؤية عدد الرسائل غير المقروءة من معاينة الإشعارات. كما يمكنك ضبط البرنامج للعمل مع بدء تشغيل الكمبيوتر تلقائيًا، فقط تأكد من تفعيل خيار “Start WhatsApp at login” من إعدادات البرنامج.


بشكل عام، البرنامج قابل للاستخدام والتجربة دون أي مشاكل. ومع ذلك، حاليًا، لا يزال يفتقر للعديد من الميزات المتاحة في نسخة WhatsApp Desktop مما يجعله يعاني في بعض النواحي. مثلًا لا يمكنك مشاهدة الحالات، أو استخدام الملصقات، أو إرسال رسائل صوتية أو تفعيل الوضع المظلم. لكن بطبيعة الحال سيتم نقل جميع الميزات إلى البرنامج في التحديثات القادمة قبل الطرح النهائي مع إضافة خواص أخرى جديدة تمامًا. لا نعرف حتى الآن متى سيصل البرنامج للمرحلة المستقرة، ولكن بمجرد إطلاقه رسميًا ستظل طريقة تحميله واستخدامه كما هي.