Try Cloud Hosting with DigitalOcean and get $200 credit.

Spring Security Best Practices

Securing Spring Boot applications is crucial to prevent data breaches, unauthorized access, and other security threats. While Spring Security provides robust defaults, following best practices ensures your application remains safe, scalable, and maintainable.

CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack where a malicious site tricks a logged-in user into performing unwanted actions on your application.

Example:

A user is logged into a banking site. A malicious website sends a hidden request to transfer money using the user’s session. If CSRF protection isn’t enabled, the request succeeds without the user knowing.

Best Practices:

Enable CSRF for traditional web applications with forms and sessions.
Disable CSRF for stateless REST APIs using JWT or OAuth2 tokens.

Spring Security Implementation

Disable CSRF (commonly for REST APIs):

http
    .csrf().disable();

Enable CSRF (default for web apps):

http
    .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

Spring Security automatically adds CSRF tokens to forms and validates them during POST, PUT, DELETE requests.

Why it matters:

Prevents unauthorized state-changing requests
Protects sensitive operations like payments, profile updates, deletions
Ensures only valid requests from your application are processed

Always enable CSRF for web forms; disable only when building stateless APIs secured by tokens

CORS Configuration

Cross-Origin Resource Sharing (CORS) is a security feature in browsers that controls which domains can access your APIs. Without proper configuration, browsers block requests coming from untrusted origins.

Best Practices:

Only allow trusted domains — avoid "*" in production
Use Spring Boot’s CorsConfiguration or @CrossOrigin for fine-grained control
Restrict allowed HTTP methods (GET, POST, PUT, DELETE)
Enable credentials only if necessary

Example – Global CORS Configuration in Spring Boot

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.CorsRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
publicclassCorsConfig {

@Bean
public WebMvcConfigurercorsConfigurer() {
returnnewWebMvcConfigurer() {
@Override
publicvoidaddCorsMappings(CorsRegistry registry) {
                registry.addMapping("/api/**")
                        .allowedOrigins("<https://trusteddomain.com>")
                        .allowedMethods("GET","POST","PUT","DELETE")
                        .allowCredentials(true);
            }
        };
    }
}

Alternative – Using @CrossOrigin on Controller

import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@CrossOrigin(origins = "<https://trusteddomain.com>",
             allowedHeaders = "*",
             allowCredentials = "true")
publicclassApiController {

@GetMapping("/api/data")
public StringgetData() {
return"Protected API Data";
    }
}

Why it matters:

Prevents malicious websites from accessing your API
Protects sensitive data from unauthorized cross-origin requests
Ensures your API is accessible only to trusted clients

Brute Force Protection

A brute force attack is when attackers repeatedly try to guess user credentials, usually passwords, by submitting multiple login attempts.

Best Practices:

Limit login attempts per user or IP
Temporary lockouts after repeated failures
Exponential backoff to slow down attackers
Use CAPTCHA after multiple failed attempts
Alert or log suspicious activity for security monitoring

Example – Simplified Login Attempt Check

public void login(String username, String password) {
    if (loginAttemptsService.getAttempts(username) > MAX_ATTEMPTS) {
        throw new AccountLockedException("Too many failed login attempts. Try again later.");
    }

    boolean success = authenticationService.authenticate(username, password);
    if (!success) {
        loginAttemptsService.incrementAttempts(username);
    } else {
        loginAttemptsService.resetAttempts(username);
    }
}

Why it matters:

Prevents unauthorized access to user accounts
Reduces the risk of credential stuffing attacks
Protects sensitive data and application integrity
Alerts you to suspicious activity

Security Headers

Security headers protect users from common web attacks, including:

Cross-Site Scripting (XSS)
Clickjacking
Insecure connections (HTTP instead of HTTPS)

They are a first line of defense in your web application security.

Recommended Headers in Spring Security:

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

http
    .headers()
        // Enable XSS protection
        .xssProtection()
        
        // Content Security Policy: restrict scripts to same origin
        .contentSecurityPolicy("script-src 'self'")
        
        // Prevent embedding in iframes (clickjacking protection)
        .frameOptions().deny()
        
        // Enforce HTTPS (HSTS)
        .httpStrictTransportSecurity()
        .includeSubDomains(true)
        .maxAgeInSeconds(31536000);

Key Headers:

X-Content-Type-Options: nosniff → Prevents MIME-type sniffing by browsers
X-XSS-Protection: 1; mode=block → Enables browser XSS filtering
Content-Security-Policy → Controls which resources can be loaded/executed
Strict-Transport-Security (HSTS) → Forces HTTPS and protects against protocol downgrade attacks

Best Practice:

Always serve security headers over HTTPS
Use CSP (Content Security Policy) to whitelist trusted resources
Combine with other protections like CORS, CSRF, and method-level security
Regularly review and update headers as new threats emerge

Secure REST APIs

REST APIs are often publicly accessible, making them attractive targets for attackers. Secure REST APIs ensure that only authorized users or services can access sensitive endpoints and data.

Best Practices:

Stateless Auth: Use JWT or OAuth2/OIDC; avoid server-side sessions
Token Validation: Check every request; ensure token integrity and expiry
Authorization: Use @PreAuthorize for role- or scope-based access
Data Protection: Don’t expose secrets, passwords, or sensitive IDs
Rate Limiting & Logging: Prevent brute force/DDoS; log suspicious activity
CORS & Headers: Allow trusted domains; apply CSP, HSTS, and XSS protection

Example – JWT Authorization Filter:

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;

public class JwtAuthorizationFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest request,
                                    HttpServletResponse response,
                                    FilterChain chain) throws ServletException, IOException {
        String token = extractToken(request);

        if (token != null && validateToken(token)) {
            Authentication auth = getAuthentication(token);
            SecurityContextHolder.getContext().setAuthentication(auth);
        }

        chain.doFilter(request, response);
    }

    private String extractToken(HttpServletRequest request) {
        // Extract token from Authorization header
        String header = request.getHeader("Authorization");
        return (header != null && header.startsWith("Bearer ")) 
                ? header.substring(7) : null;
    }

    private boolean validateToken(String token) {
        // Token validation logic (signature, expiry)
        return true;
    }

    private Authentication getAuthentication(String token) {
        // Return Authentication object based on token claims
        return null;
    }
}

Summary Table

Area	Best Practice
CSRF	Enable for stateful apps; disable for stateless APIs
CORS	Restrict access to trusted domains only
Brute Force	Limit login attempts, apply lockouts, use exponential backoff
Security Headers	Enable XSS protection, HSTS, CSP, and Frame Options
REST APIs	Use JWT/OAuth2, validate tokens on every request, enforce method-level security, apply rate limiting

Conclusion

Following these Spring Security Best Practices ensures your applications are resilient, secure, and production-ready:

CSRF protection safeguards web forms.
CORS configuration restricts API access to trusted origins.
Brute force protection prevents unauthorized logins.
Security headers protect users from common attacks.
Secured REST APIs with JWT/OAuth2 ensure stateless and robust access control.

Applying these practices alongside Spring Security’s defaults provides comprehensive, layered defense against web and API threats.

Spring Boot Handbook

Spring Boot Handbook

Security Best Practices in Spring Boot

Spring Security Best Practices

CSRF Protection

Spring Security Implementation

CORS Configuration

Brute Force Protection

Security Headers

Secure REST APIs

Summary Table

Conclusion

Security Best Practices in Spring Boot

Spring Security Best Practices

CSRF Protection

Spring Security Implementation

CORS Configuration

Brute Force Protection

Security Headers

Secure REST APIs

Summary Table

Conclusion