Springboot Security
Apply Spring Security checklists when adding auth, endpoints, validation, headers, secrets, rate limiting, or dependency CVE review in Spring Boot APIs.
Overview
springboot-security is an agent skill most often used in Ship (also Build) that applies Spring Security best practices for authentication, authorization, validation, headers, secrets, rate limiting, and dependency securi
Install
npx skills add https://github.com/affaan-m/everything-claude-code --skill springboot-securityWhat is this skill?
- Covers JWT, OAuth2, and session auth with httpOnly Secure SameSite cookie guidance
- Bean Validation and custom validators for user input on new endpoints
- CORS, CSRF, and security headers configuration reminders
- Secrets via Vault or environment variables; rate limiting and brute-force protection
- Dependency CVE scanning trigger when adding or upgrading libraries
- 7 activation triggers: auth, authorization, validation, CORS/CSRF/headers, secrets, rate limiting, dependency CVEs
Adoption & trust: 5.8k installs on skills.sh; 210k GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are shipping a Spring Boot API but unsure whether JWT filters, CSRF settings, cookie flags, and secret storage meet baseline production security.
Who is it for?
Indie backend developers building Java Spring Boot REST or B2B APIs who want agent-guided security review at feature time and before deploy.
Skip if: Non-JVM stacks, greenfield projects with no HTTP API yet, or enterprises needing formal compliance attestations without human review.
When should I use this skill?
Adding authentication, implementing authorization, validating user input, configuring CORS/CSRF/headers, managing secrets, adding rate limiting, or scanning dependencies for CVEs in Spring Boot.
What do I get? / Deliverables
You implement or review Spring Security configuration with explicit patterns for auth filters, validation, headers, secrets, and dependency risk before launch.
- Security-oriented code/config recommendations
- Review notes for auth, validation, and headers
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Ship → security is the canonical shelf for hardening and review guidance before production exposure. Security subphase fits authn/authz, CSRF/CORS, secret handling, and dependency scanning patterns described in the skill.
Where it fits
While adding a new authenticated REST controller, apply Bean Validation and @PreAuthorize patterns before merging.
Pre-launch pass on CORS, CSRF, security headers, and JWT validation for a public API.
Audit environment variable vs Vault usage before rotating production credentials.
After a dependency upgrade, run the skill’s CVE scanning reminder before redeploying Spring Boot services.
How it compares
Focused Spring Boot security playbook—not a generic MCP secrets server or a full SAST platform.
Common Questions / FAQ
Who is springboot-security for?
Solo and indie builders maintaining Java Spring Boot services who want structured security guidance while coding auth, endpoints, and ops-sensitive config.
When should I use springboot-security?
Use in Ship security when hardening for production, and in Build backend when adding JWT/OAuth2, authorization rules, validation, CORS/CSRF, secrets, or rate limiting.
Is springboot-security safe to install?
Treat it as advisory implementation help; review the Security Audits panel on this Prism page and validate all security changes with tests and human review.
SKILL.md
READMESKILL.md - Springboot Security
# Spring Boot Security Review Use when adding auth, handling input, creating endpoints, or dealing with secrets. ## When to Activate - Adding authentication (JWT, OAuth2, session-based) - Implementing authorization (@PreAuthorize, role-based access) - Validating user input (Bean Validation, custom validators) - Configuring CORS, CSRF, or security headers - Managing secrets (Vault, environment variables) - Adding rate limiting or brute-force protection - Scanning dependencies for CVEs ## Authentication - Prefer stateless JWT or opaque tokens with revocation list - Use `httpOnly`, `Secure`, `SameSite=Strict` cookies for sessions - Validate tokens with `OncePerRequestFilter` or resource server ```java @Component public class JwtAuthFilter extends OncePerRequestFilter { private final JwtService jwtService; public JwtAuthFilter(JwtService jwtService) { this.jwtService = jwtService; } @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException { String header = request.getHeader(HttpHeaders.AUTHORIZATION); if (header != null && header.startsWith("Bearer ")) { String token = header.substring(7); Authentication auth = jwtService.authenticate(token); SecurityContextHolder.getContext().setAuthentication(auth); } chain.doFilter(request, response); } } ``` ## Authorization - Enable method security: `@EnableMethodSecurity` - Use `@PreAuthorize("hasRole('ADMIN')")` or `@PreAuthorize("@authz.canEdit(#id)")` - Deny by default; expose only required scopes ```java @RestController @RequestMapping("/api/admin") public class AdminController { @PreAuthorize("hasRole('ADMIN')") @GetMapping("/users") public List<UserDto> listUsers() { return userService.findAll(); } @PreAuthorize("@authz.isOwner(#id, authentication)") @DeleteMapping("/users/{id}") public ResponseEntity<Void> deleteUser(@PathVariable Long id) { userService.delete(id); return ResponseEntity.noContent().build(); } } ``` ## Input Validation - Use Bean Validation with `@Valid` on controllers - Apply constraints on DTOs: `@NotBlank`, `@Email`, `@Size`, custom validators - Sanitize any HTML with a whitelist before rendering ```java // BAD: No validation @PostMapping("/users") public User createUser(@RequestBody UserDto dto) { return userService.create(dto); } // GOOD: Validated DTO public record CreateUserDto( @NotBlank @Size(max = 100) String name, @NotBlank @Email String email, @NotNull @Min(0) @Max(150) Integer age ) {} @PostMapping("/users") public ResponseEntity<UserDto> createUser(@Valid @RequestBody CreateUserDto dto) { return ResponseEntity.status(HttpStatus.CREATED) .body(userService.create(dto)); } ``` ## SQL Injection Prevention - Use Spring Data repositories or parameterized queries - For native queries, use `:param` bindings; never concatenate strings ```java // BAD: String concatenation in native query @Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true) // GOOD: Parameterized native query @Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true) List<User> findByName(@Param("name") String name); // GOOD: Spring Data derived query (auto-parameterized) List<User> findByEmailAndActiveTrue(String email); ``` ## Password Encoding - Always hash passwords with BCrypt or Argon2 — never store plaintext - Use `PasswordEncoder` bean, not manual hashing ```java @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(12); // cost factor 12 } // In service public User register(CreateUserDto dto) { String hashedPassword = passwordEncoder.encode(dto.password()); return userRe