Secure Java/Spring Development: From Config to Defense
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
Spring Security is powerful, but its defaults do not cover everything. Misconfigured Spring applications are a staple finding in penetration tests. Knowing how to properly configure and extend Spring Security separates competent developers from those shipping vulnerable code.
Spring Security Configuration
The SecurityFilterChain bean defines your security posture. A common mistake is overly permissive path matching:
“java @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(auth -> auth .requestMatchers("/api/admin/**").hasRole("ADMIN") .requestMatchers("/api/public/**").permitAll() .anyRequest().authenticated() ) .sessionManagement(session -> session .sessionCreationPolicy(SessionCreationPolicy.STATELESS) ); return http.build(); } `
Order matters. Spring evaluates matchers top to bottom and uses the first match. Put specific rules before general ones. The .anyRequest().authenticated() catch-all at the end prevents accidentally exposing new endpoints.
Watch out for path traversal through Spring's URL normalization. /api/admin/ and /api/admin might match differently depending on your configuration. Test both.
SQL Injection Prevention
Spring Data JPA with repository methods is safe by default — it uses parameterized queries. Problems appear with @Query annotations using native SQL and string concatenation:
`java
// Vulnerable
@Query(value = "SELECT * FROM users WHERE name = '" + name + "'", nativeQuery = true)
// Safe @Query(value = "SELECT * FROM users WHERE name = :name", nativeQuery = true) User findByName(@Param("name") String name); `
JdbcTemplate is safe when you use ? placeholders. It is vulnerable when you concatenate strings. JPQL is parameterized by default, but createNativeQuery with string building is not.
Session Management
For session-based auth, configure these settings:
`java`
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
server.servlet.session.cookie.same-site=strict
server.servlet.session.timeout=30m
Regenerate the session ID after authentication with request.changeSessionId() to prevent session fixation. Invalidate sessions completely on logout — calling session.invalidate() and clearing the security context.
For JWT-based APIs, do not store tokens in localStorage. Use HttpOnly cookies with short expiration and implement token rotation.
CSRF and Headers
Spring Security enables CSRF protection by default for session-based applications. If you are building a stateless API with JWT, you can disable CSRF — but only if you are not using cookies for authentication.
Add security headers through Spring Security:
`java`
http.headers(headers -> headers
.contentSecurityPolicy(csp -> csp
.policyDirectives("default-src 'self'; script-src 'self'"))
.frameOptions(frame -> frame.deny())
);
Dependency Management
Run mvn dependency:tree` to understand your full dependency graph. Use OWASP Dependency-Check or Snyk in your CI pipeline. Spring Boot’s managed dependencies help, but transitive dependencies still introduce risk. Pin versions explicitly when a vulnerability is reported in a transitive dependency.
Related Career Paths
Secure Spring development is a core skill for the Application Security Expert career path. AppSec engineers review Java codebases daily and need to identify framework-specific vulnerabilities quickly.
Next Steps
- Take a skills assessment to benchmark your Java security knowledge
- Explore the skills library for related topics like SAST tooling and threat modeling
- Use the salary calculator to see how AppSec skills affect compensation
Related Guides in This Series
- Secure Coding in .NET: Input Validation, Auth, and CSRF Defense — HADESS | 2026
- Secure JavaScript: XSS, CSP, and Dependency Safety
- Secure Node.js: Express Middleware, Auth, and Rate Limiting
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
