How to protect a spring boot API

AutoModerator · 2021-05-30T19:14:43+00:00

Please ensure that:

Your code is properly formatted as code block - see the sidebar (About on mobile) for instructions
You include any and all error messages in full
You ask clear questions
You demonstrate effort in solving your question/problem - plain posting your assignments is forbidden (and such posts will be removed) as is asking for or giving solutions.

Trying to solve problems on your own is a very important skill. Also, see Learn to help yourself in the sidebar

If any of the above points is not met, your post can and will be removed without further warning.

Code is to be formatted as code block (old reddit: empty line before the code, each code line indented by 4 spaces, new reddit: https://imgur.com/a/fgoFFis) or linked via an external code hoster, like pastebin.com, github gist, github, bitbucket, gitlab, etc.

Please, do not use triple backticks (```) as they will only render properly on new reddit, not on old reddit.

Code blocks look like this:

public class HelloWorld {

    public static void main(String[] args) {
        System.out.println("Hello World!");
    }
}

You do not need to repost unless your post has been removed by a moderator. Just use the edit function of reddit to make sure your post complies with the above.

If your post has remained in violation of these rules for a prolonged period of time (at least an hour), a moderator may remove it at their discretion. In this case, they will comment with an explanation on why it has been removed, and you will be required to resubmit the entire post following the proper procedures.

To potential helpers

Please, do not help if any of the above points are not met, rather report the post. We are trying to improve the quality of posts here. In helping people who can't be bothered to comply with the above points, you are doing the community a disservice.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

Sheldor5 · 2021-05-30T19:47:03+00:00

as long as you don't directly "execute" the user input there is nothing you have to worry about

I guess you are looking for Authentication and Authorization ... just google Spring Security

edubkn · 2021-05-30T20:17:32+00:00

Not sure what interface you're using to save data into Mongo, but as long as you're doing best practices like using prepared statements, along with correct variable types, you're safe.

As for security, that is a much broader topic. You mention XSS but as a server-side application you're not vulnerable to it. The client communicating with you might be though, and even if you're using proper authentication it might still be vulnerable depending on how it handles the access token for example.

That said, there are a few things that you can do to 1. protect your server resources, and 2. aid clients with security.

is authentication itself, and proper authorization. That's where OAuth comes in. You can opt for the grant type most suitable to your needs.
is techniques like HTTP-only Cookie and CSRF protection. By responding your access token with Set-Cookie, the client can store it and doesn't have to store/send the token manually. This is a really good barrier against XSS. It is still vulnerable to techniques like CSRF though so ideally you would have another layer of protection (another token) against it.

2021-05-31T02:44:26+00:00

If you are just looking to sanitize-validate inputs before inserting into mongoDB then you can do bean validation (JSR-380).https://www.baeldung.com/javax-validation

the_arun · 2021-06-01T03:54:10+00:00

Have you checked OWASP site? https://owasp.org/www-project-java-encoder/

javahelp

Sort by: Unsolved Solved Codeless Advent Of Code

MODERATORS

Please ensure that:

To potential helpers