springboot-security

The springboot-security skill provides a standardized security framework for Java Spring Boot applications. It is designed for developers, security engineers, and AI agents tasked with implementing robust protection mechanisms during service development, code reviews, or infrastructure hardening. This skill encapsulates industry-standard security configurations, ensuring applications are resilient against common vulnerabilities like SQL injection, XSS, and CSRF while maintaining compliance with modern authentication standards.

• Authentication and Authorization implementation using Spring Security, JWT, OAuth2, and session management with secure cookie attributes like httpOnly and SameSite.

• Bean Validation and DTO constraint enforcement to prevent injection attacks and ensure data integrity at the controller level.

• CSRF protection strategies tailored for both browser-session applications and stateless RESTful APIs.

• Secret management guidelines utilizing environment variables, placeholders, and integration with tools like Spring Cloud Vault.

• Security header configuration including Content Security Policy (CSP), frame options, and referrer policies.

• Rate limiting techniques using Bucket4j to prevent brute-force attacks and service abuse.

• SQL injection prevention via Spring Data JPA repositories, parameterized native queries, and secure password encoding using BCrypt or Argon2.

• Dependency security scanning for common CVE vulnerabilities to maintain a clean supply chain.

• The skill should be activated whenever creating new authentication modules, defining API endpoints, or handling user-provided input.

• Users should expect clear patterns for @PreAuthorize method security and OncePerRequestFilter implementation for JWT processing.

• It serves as a guide for preventing hardcoded credentials in application.yml and enforces the use of production-ready CorsConfigurationSource settings.

• Practical constraints include the requirement for proper bean configuration in Spring contexts and the necessity of testing security filters within the broader application lifecycle.