springboot-security

Use when adding auth, handling input, creating endpoints, or dealing with secrets. Remember : Deny by default, validate inputs, least privilege, and secure-by-configuration first. - Adding authentication (JWT, OAuth2, session-based) - Implementing authorization (@PreAuthorize, role-based access) - Validating user input (Bean Validation, custom validators) - Configuring CORS, CSRF, or security headers - Managing secrets (Vault, environment variables) - Adding rate limiting or brute-force protection - Scanning dependencies for CVEs - Prefer stateless JWT or opaque tokens with revocation list - Use httpOnly , Secure , SameSite=Strict cookies for sessions - Validate tokens with OncePerRequestFilter or resource server - Enable method security: @EnableMethodSecurity - Use @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("@authz.canEdit(#id)") - Deny by default; expose only required scopes - Use Bean Validation with @Valid on controllers - Apply constraints on DTOs: @NotBlank , @Email , @Size , custom validators - Sanitize any HTML with a whitelist before rendering - Use Spring Data repositories or parameterized queries - For native queries, use :param bindings; never concatenate strings - Always hash passwords with BCrypt or Argon2 — never store plaintext - Use PasswordEncoder bean, not manual hashing - For browser session apps, keep CSRF enabled; include token in forms/headers -...