Top 10 Spring Boot Security Mistakes and How to Fix Them

Author:
Spring Boot makes it easy to build robust applications, but security is often overlooked or misconfigured, leading to vulnerabilities. Many developers make common mistakes that can expose applications to data leaks, unauthorized access, and security threats.

In this guide, we'll cover the Top 10 Spring Boot Security Mistakes and how to fix them with real-world examples.

1️⃣ Not Enforcing HTTPS 🚫🔓

Mistake: Allowing HTTP Requests

By default, Spring Boot does not enforce HTTPS, leaving applications vulnerable to man-in-the-middle (MITM) attacks.

@GetMapping("/secure-data")
public String getSecureData() {
    return "Sensitive Information"; // ❌ Accessible over HTTP
}

Solution: Redirect All HTTP Requests to HTTPS

Configure Spring Security to redirect HTTP requests to HTTPS.

Step 1: Enable HTTPS in application.properties

server.port=8443
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=yourpassword
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

Step 2: Force HTTPS Redirection

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.requiresChannel(channel -> channel
            .anyRequest().requiresSecure() // ✅ Force HTTPS
        );
        return http.build();
    }
}

Best Practice: Use Let's Encrypt to get a free SSL certificate.

2️⃣ Hardcoding Secrets in Code 🔑

Mistake: Storing API Keys in Code

private static final String API_KEY = "my-secret-key"; // ❌ Bad practice

Solution: Store Secrets Securely

Use environment variables or Spring Boot’s configuration files.

api.key=${API_KEY}

Best Practice: Use Spring Cloud Config, AWS Secrets Manager, or Vault.

3️⃣ Using Default Database Credentials 🛑

Mistake: Keeping Default Credentials

spring.datasource.username=root
spring.datasource.password=root

Issue: Attackers try default passwords first.

Solution: Use Strong, Secure Credentials

spring.datasource.username=secure_user
spring.datasource.password=strong_password_123!

Best Practice: Store credentials in environment variables or secrets vaults.

4️⃣ Exposing Actuator Endpoints Publicly 📡

Mistake: Leaving Actuator Endpoints Open

Spring Boot Actuator provides helpful endpoints (/health, /metrics, etc.), but exposing them publicly is a risk.

management.endpoints.web.exposure.include=*

Issue: Attackers can gain insights into system health, environment variables, and logs.

Solution: Restrict Access

management.endpoints.web.exposure.include=health,info
management.endpoints.web.base-path=/management
management.endpoint.health.show-details=never

Best Practice: Use authentication for sensitive endpoints.

5️⃣ Not Securing REST APIs (Missing Authentication) 🔓

Mistake: Leaving APIs Open to Anyone

@RestController
@RequestMapping("/api")
public class UserController {
    @GetMapping("/users")
    public List<User> getUsers() {
        return userService.getAllUsers(); // ❌ Public API
    }
}

Issue: No authentication, meaning anyone can access it.

Solution: Secure APIs Using OAuth2 + JWT

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth
            .anyRequest().authenticated()
        ).oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
        return http.build();
    }
}

Best Practice: Use JWT (JSON Web Tokens) or OAuth2 for API security.

6️⃣ Allowing CORS from Any Origin 🌍

Mistake: Allowing All Origins

@CrossOrigin("*") // ❌ Allows requests from ANY domain
@RestController
@RequestMapping("/api")
public class UserController { }

Issue: Attackers can exploit CORS misconfigurations to perform cross-origin attacks.

Solution: Restrict Allowed Origins

@Configuration
public class CorsConfig {
    @Bean
    public WebMvcConfigurer corsConfigurer() {
        return new WebMvcConfigurer() {
            @Override
            public void addCorsMappings(CorsRegistry registry) {
                registry.addMapping("/api/**")
                    .allowedOrigins("https://trusted.com") // ✅ Allow specific origins
                    .allowedMethods("GET", "POST");
            }
        };
    }
}

Best Practice: Allow only trusted domains.

7️⃣ Exposing Sensitive Data in Logs 📝

Mistake: Logging User Data

logger.info("User logged in: " + user.getEmail()); // ❌ Logs sensitive info

Issue: Attackers can access log files and extract personal information.

Solution: Use Masking for Sensitive Logs

logger.info("User logged in: {}", maskEmail(user.getEmail()));

Best Practice: Use log masking tools like logback.

8️⃣ Not Implementing Rate Limiting

Mistake: No Protection Against Brute Force Attacks

@PostMapping("/login")
public ResponseEntity<?> login(@RequestBody LoginRequest request) {
    return authService.authenticate(request);
}

Issue: Attackers can flood login attempts, causing DDoS.

Solution: Implement Rate Limiting

Use Spring Boot Resilience4J to prevent abuse.

@Bean
public RateLimiterConfig rateLimiterConfig() {
    return RateLimiterConfig.custom()
        .limitRefreshPeriod(Duration.ofSeconds(10))
        .limitForPeriod(5) // ✅ Allow only 5 requests per 10 seconds
        .build();
}

Best Practice: Use API gateways like Cloudflare, AWS API Gateway.

9️⃣ Not Encrypting Sensitive Data in the Database 🔐

Mistake: Storing Passwords in Plain Text

user.setPassword("mypassword"); // ❌ Visible in the database

Issue: If the database is breached, all passwords are exposed.

Solution: Use BCrypt for Password Hashing

user.setPassword(new BCryptPasswordEncoder().encode("mypassword")); // ✅ Secure

Best Practice: Always hash passwords before storing.

🔟 Running the Application in Debug Mode in Production 🛑

Mistake: Keeping Debug Mode Enabled

spring.profiles.active=dev
logging.level.root=DEBUG

Issue: Debug logs expose internal details, making it easier for attackers.

Solution: Disable Debugging in Production

spring.profiles.active=prod
logging.level.root=INFO

Best Practice: Use Spring Profiles to switch between dev/prod environments.

🎯 Conclusion

Security is critical in any Spring Boot application. The mistakes listed above can expose your application to vulnerabilities, but by following best practices, you can keep your application secure.

Quick Recap

Use HTTPS and enforce SSL
Store secrets securely (no hardcoded API keys)
Secure APIs with OAuth2/JWT
Limit CORS access to trusted domains
Implement rate limiting for API protection
Encrypt passwords before storing

Keywords

Spring Boot security, REST API security, Spring Security best practices, secure microservices, OAuth2 authentication, JWT authentication, API security.

Related Spring and Spring Boot Tutorials/Guides:

Spring Boot Tutorials [500+] Spring Boot Testing Tutorial Spring Boot Microservice Tutorial Spring Boot Kafka Microservices Spring Boot + Apache Kafka Tutorial Spring Core Tutorial Spring MVC Tutorial Spring Data JPA Tutorial Spring Framework for Beginners Spring AOP Tutorial Spring Security Tutorial Spring Exceptions Tutorial Spring Boot Interview Questions Spring Boot Microservices Interview Questions Apache Kafka Tutorials Docker Tutorials and Guides Spring Boot RabbitMQ Tutorials Angular CRUD Example with Spring Boot Spring Boot + Angular 12 CRUD Full Stack Spring Boot + Angular 8 CRUD Full Stack Spring Boot + Angular 10 CRUD Full Stack Spring Boot + React JS CRUD Full Stack React JS ( React Hooks) + Spring Boot Spring Boot Thymeleaf CRUD Full Stack Spring Boot User Registration and Login Node Js + Express + MongoDB CRUD Vue JS + Spring Boot REST API Tutorial

Related Spring Security Tutorials/Guides:

Core Components of Spring Security Spring Security: Authentication Spring Security: Authorization Spring Security: Principal Spring Security: Granted Authority Spring Security: SecurityContextHolder Spring Security: UserDetailsService Spring Security: Authentication Manager Spring Security: Authentication Provider Spring Security: Password Encoder AuthenticationEntryPoint in Spring Security @PreAuthorize Annotation in Spring Security Spring Security Basic Authentication Spring Security In-Memory Authentication Spring Security Form-Based Authentication Difference Between Basic Authentication and Form Based Authentication Spring Security Custom Login Page Spring Security Login Form Example with Database Authentication Spring Boot Login REST API Login and Registration REST API using Spring Boot, Spring Security, Hibernate, and MySQL Database Spring Boot + Spring Security + Angular Example Tutorial Spring Boot + Angular Login Authentication, Logout, and HttpInterceptor Example Spring Security In-Memory Authentication Example Spring Security Hibernate Database Authentication - UserDetailsService Securing a Spring MVC Application with Spring Security Spring Boot Security Login REST API Example Spring Boot Security Login and Registration REST API Role-based Authorization using Spring Boot and Spring Security Spring Boot Security JWT Token-Based Authentication and Role-Based Authorization Tutorial Spring Boot + Spring Security + JWT + MySQL Database Tutorial Spring Boot JWT Authentication and Authorization Example Spring Boot Security JWT Example - Login REST API with JWT Authentication Spring Boot Security JWT Token-Based Authentication and Role-Based Authorization Tutorial Spring Security - Get Current Logged-In User Details Spring Security - How to Get Current Logged-In Username in JSP Spring Security - How to Access User Roles in JSP Spring Security - How to Get Current Logged-In Username in Themeleaf Spring Security Tutorial - Registration, Login, and Logout Spring Boot 2 + Spring MVC + Role-Based Spring Security + JPA + Thymeleaf + MySQL Tutorial User Registration Module using Spring Boot 2 + Spring MVC + Spring Security + Hibernate 5 + Thymeleaf + MySQL Registration and Login using Spring Boot, Spring Security, Spring Data JPA, Hibernate, H2, JSP, and Bootstrap Spring Boot User Registration and Login Example Tutorial

Comments

Post a Comment

Leave Comment

Spring Boot 3 Paid Course Published for Free
on my Java Guides YouTube Channel

Subscribe to my YouTube Channel (165K+ subscribers):
Java Guides Channel

Top 10 My Udemy Courses with Huge Discount:
Udemy Courses - Ramesh Fadatare