> spring-boot-security
Configure Spring Security 6+ with Lambda DSL, JWT, and hardening rules. Use when configuring Spring Security 6+, OAuth2, JWT, or security hardening in Spring Boot. (triggers: **/*SecurityConfig.java, **/*Filter.java, security-filter-chain, lambda-dsl, csrf, cors)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/spring-boot-security?format=md"Spring Boot Security Standards
Priority: P0 (CRITICAL)
Configure SecurityFilterChain
- Lambda DSL: ALWAYS use Lambda DSL.
- SecurityFilterChain: Expose as
@Bean. Do not extendWebSecurityConfigurerAdapter. - Statelessness: Enforce
SessionCreationPolicy.STATELESSfor REST APIs.
See implementation examples for SecurityFilterChain configuration with Lambda DSL and JWT.
Implement Authentication and Authorization
- Authentication: Validation of credentials (Who are you?). Use
AuthenticationManagerorJwtDecoder. - Authorization: Verification of access rights (Can you do this?). Use
@PreAuthorize.
Secure JWT Tokens
- Algorithm: Enforce
RS256orHS256. Rejectnonealgorithm. - Claims: Validate
iss,aud, andexp. - Tokens: Short-lived access tokens (15m), secure refresh tokens (httpOnly cookie).
Hardening Checklist
- CSRF: Disabled for pure APIs? Enabled + Cookie for Browser Apps?
- CORS: Specific origins permitted? No
*with credentials? - Headers: HSTS, Content-Type-Options, X-Frame-Options enabled?
- Secrets: No hardcoded keys? Loaded from Vault/Env?
- Rate Limiting: Applied on login/expensive endpoints?
- Dependencies: Scanned for CVEs?
Anti-Patterns
- No Adapter: Use
SecurityFilterChainbean instead of extending legacy classes. - No .and(): Use Lambda DSL for configuration.
- No Secrets: Load from Vault or Environment variables (never git).
- No antMatchers: Use
requestMatchers(Spring Security 6+).
References
- Implementation Examples
- common/security-standards
- architecture
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)