> spring-boot-security
Spring Security 6+ standards, Lambda DSL, and Hardening. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/spring-boot-security?format=md"Spring Boot Security Standards
Priority: P0 (CRITICAL)
Implementation Guidelines
Configuration (Spring Security 6+)
- Lambda DSL: ALWAYS use Lambda DSL.
- SecurityFilterChain: Expose as
@Bean. Do not extendWebSecurityConfigurerAdapter. - Statelessness: Enforce
SessionCreationPolicy.STATELESSfor REST APIs.
Golden Snippet
See Security Configuration for full SecurityFilterChain example.
Authentication vs Authorization
- Authentication: Validation of credentials (Who are you?). Use
AuthenticationManagerorJwtDecoder. - Authorization: Verification of access rights (Can you do this?). Use
@PreAuthorize.
JWT Best Practices
- Algorithm: Enforce
RS256orHS256. Rejectnonealgorithm. - Claims: Validate
iss,aud, andexp. - Tokens: Short-lived access tokens (15m), secure refresh tokens (httpOnly cookie).
Hardening Checklist
- CSRF: Disabled for pure APIs? Enabled + Cookie for Browser Apps?
- CORS: Specific origins permitted? No
*with credentials? - Headers: HSTS, Content-Type-Options, X-Frame-Options enabled?
- Secrets: No hardcoded keys? Loaded from Vault/Env?
- Rate Limiting: Applied on login/expensive endpoints?
- Dependencies: Scanned for CVEs?
Anti-Patterns
- No Adapter: Use
SecurityFilterChainbean instead of extending legacy classes. - No .and(): Use Lambda DSL for configuration.
- No Secrets: Load from Vault or Environment variables (never git).
- No antMatchers: Use
requestMatchers(Spring Security 6+).
References
Related Topics
common/security-standards | architecture
> related_skills --same-repo
> typescript-tooling
Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling. (triggers: tsconfig.json, .eslintrc.*, jest.config.*, package.json, eslint, prettier, jest, vitest, build, compile, lint)
> typescript-security
Secure coding practices for TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration. (triggers: **/*.ts, **/*.tsx, validate, sanitize, xss, injection, auth, password, secret, token)
> typescript-language
Modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings. (triggers: **/*.ts, **/*.tsx, tsconfig.json, type, interface, generic, enum, union, intersection, readonly, const, namespace)
> typescript-best-practices
Idiomatic TypeScript patterns for clean, maintainable code. Use when writing or refactoring TypeScript classes, functions, modules, or async logic. (triggers: **/*.ts, **/*.tsx, class, function, module, import, export, async, promise)