Matt Raible, profile picture
Uploaded byMatt Raible
149 views

Web App Security for Java Developers - PWX 2021

The document presents a guide on web app security specifically for Java developers, outlining seven key practices such as using HTTPS, scanning dependencies, and employing OAuth 2.0 for authentication. It also includes technical configurations and code snippets for implementing these security measures in Spring Boot and other frameworks. Additionally, it emphasizes the importance of content security policies and preventing cross-site request forgery (CSRF) attacks.

Embed presentation

Download to read offline
Matt Raible | @mraible December 7, 2021 Web App Security for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas
@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
developer.okta.com
@mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster
What is web app security?
1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
@mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
What is HTTPS? https://howhttps.works
How HTTPS Works https://howhttps.works
HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https
HTTPS is Easy!
Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.requiresChannel()                         .requestMatchers(r - > r.getHeader("X-Forwarded-Proto") ! = null)                         .requiresSecure();         } }
Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }
Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect - > redirect .httpsRedirectWhen(e - > e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }
@mraible “Why do we need HTTPS  inside our network?”
@mraible 2. Scan Your Dependencies
@mraible GitHub + Dependabot
@mraible Full-featured Dependency Scanners
3. Use the Latest Releases
How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies
Check for Updates with npm npm i -g npm-check-updates ncu
Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17" id("com.github.ben-manes.versions") version "0.39.0" . . . } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin
@mraible 4. Secure Your Secrets
HashiCorp Vault and Azure Key Vault
https://developer.okta.com/blog/2020/05/04/spring-vault Secure Secrets With Spring Cloud Config and Vault
5. Use a Content Security Policy
Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.headers()                         .contentSecurityPolicy("script-src 'self' " +                                         "https: / / trustedscripts.example.com; " +                                         "object-src https: / / trustedplugins.example.com; " +                                         "report-uri /csp-report-endpoint/");         } }
Test Your Security Headers https://securityheaders.com
@mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization
@mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
7. Prevent CSRF Attacks
Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {       @Override       protected void configure(HttpSecurity http) throws Exception {               http                       .csrf()                       .csrfTokenRepository(                               CookieCsrfTokenRepository.withHttpOnlyFalse());       } }
SameSite Cookies
@mraible Demos! 🍃 🅰 🤓
1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
developer.okta.com/blog @oktadev
Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs
Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev developer.okta.com
developer.okta.com

More Related Content

PDF
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
byMatt Raible
 
PDF
Java Web Application Security - Jazoon 2011
byMatt Raible
 
PDF
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
byVMware Hyperic
 
PDF
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
byMatt Raible
 
PDF
Java Web Application Security - UberConf 2011
byMatt Raible
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
PDF
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
byArun Gupta
 
PDF
Apache Roller, Acegi Security and Single Sign-on
byMatt Raible
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
byMatt Raible
 
Java Web Application Security - Jazoon 2011
byMatt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
byVMware Hyperic
 
Choose Your Own Adventure with JHipster & Kubernetes - Utah JUG 2020
byMatt Raible
 
Java Web Application Security - UberConf 2011
byMatt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
byMatt Raible
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
byArun Gupta
 
Apache Roller, Acegi Security and Single Sign-on
byMatt Raible
 

What's hot

PDF
Java REST API Framework Comparison - PWX 2021
byMatt Raible
 
PDF
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
byMatt Raible
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Front End Development for Back End Developers - vJUG24 2017
byMatt Raible
 
PDF
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
byMatt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
byMatt Raible
 
PDF
Web App Security for Java Developers - UberConf 2021
byMatt Raible
 
PDF
What the Heck is OAuth and OpenID Connect - RWX 2017
byMatt Raible
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
PDF
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
PDF
Front End Development for Back End Java Developers - Jfokus 2020
byMatt Raible
 
PDF
What's New in Spring 3.1
byMatt Raible
 
PDF
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
byMatt Raible
 
PDF
How to Win at UI Development in the World of Microservices - THAT Conference ...
byMatt Raible
 
PDF
Bootiful Development with Spring Boot and React - UberConf 2018
byMatt Raible
 
PDF
JAX-RS JavaOne Hyderabad, India 2011
byShreedhar Ganapathy
 
PDF
Spark IT 2011 - Developing RESTful Web services with JAX-RS
byArun Gupta
 
PPT
Choosing a Java Web Framework
byWill Iverson
 
Java REST API Framework Comparison - PWX 2021
byMatt Raible
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
byMatt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Front End Development for Back End Developers - vJUG24 2017
byMatt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
byMatt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
byMatt Raible
 
Web App Security for Java Developers - UberConf 2021
byMatt Raible
 
What the Heck is OAuth and OpenID Connect - RWX 2017
byMatt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
byMatt Raible
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
byMatt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
byMatt Raible
 
Java Web Application Security - Utah JUG 2011
byMatt Raible
 
Front End Development for Back End Java Developers - Jfokus 2020
byMatt Raible
 
What's New in Spring 3.1
byMatt Raible
 
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
byMatt Raible
 
How to Win at UI Development in the World of Microservices - THAT Conference ...
byMatt Raible
 
Bootiful Development with Spring Boot and React - UberConf 2018
byMatt Raible
 
JAX-RS JavaOne Hyderabad, India 2011
byShreedhar Ganapathy
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
byArun Gupta
 
Choosing a Java Web Framework
byWill Iverson
 

Similar to Web App Security for Java Developers - PWX 2021

PDF
Spring4 security
bySang Shin
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
byNordic APIs
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
byJava User Group Latvia
 
PDF
Demystifying OAuth 2.0
byKarl McGuinness
 
PDF
Building a secure BFF at Postman
byAnkit Muchhala
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PDF
Java Web Application Security - Denver JUG 2013
byMatt Raible
 
PDF
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
byMatt Raible
 
PDF
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
byVMware Tanzu
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
byMatt Raible
 
PPT
Securing RESTful API
byMuhammad Zbeedat
 
PPT
O auth 2
byNisha Baswal
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
PDF
Draft Hammer Oauth 10
byVishal Shah
 
PDF
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
PDF
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 
PDF
Draft Ietf Oauth V2 12
byVishal Shah
 
PDF
Bufferauthentication
byVishal Shah
 
Spring4 security
bySang Shin
 
Securing Web Applications with Token Authentication
byStormpath
 
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
byNordic APIs
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
byJava User Group Latvia
 
Demystifying OAuth 2.0
byKarl McGuinness
 
Building a secure BFF at Postman
byAnkit Muchhala
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
Java Web Application Security - Denver JUG 2013
byMatt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
byMatt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
byVMware Tanzu
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
byMatt Raible
 
Securing RESTful API
byMuhammad Zbeedat
 
O auth 2
byNisha Baswal
 
Oauth Nightmares Abstract OAuth Nightmares
byNino Ho
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
Draft Hammer Oauth 10
byVishal Shah
 
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
Secured REST Microservices with Spring Cloud
byOrkhan Gasimov
 
Draft Ietf Oauth V2 12
byVishal Shah
 
Bufferauthentication
byVishal Shah
 

More from Matt Raible

PDF
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
PDF
Comparing Native Java REST API Frameworks - Seattle JUG 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Cork JUG 2022
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Dublin JUG 2022
byMatt Raible
 
PDF
Full Stack Reactive with React and Spring WebFlux - Switzerland JUG 2020
byMatt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
byMatt Raible
 
PDF
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - Oktane20
byMatt Raible
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
PDF
Java REST API Framework Comparison - UberConf 2021
byMatt Raible
 
PDF
Comparing Native Java REST API Frameworks - Devoxx France 2022
byMatt Raible
 
PDF
Choose Your Own Adventure with JHipster & Kubernetes - Denver JUG 2020
byMatt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
byMatt Raible
 
PDF
Micro Frontends for Java Microservices - Belfast JUG 2022
byMatt Raible
 
PDF
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
byMatt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
byMatt Raible
 
PDF
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
byMatt Raible
 
PDF
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
byMatt Raible
 
PDF
Native Java with Spring Boot and JHipster - SF JUG 2021
byMatt Raible
 
PDF
Native Java with Spring Boot and JHipster - Garden State JUG 2021
byMatt Raible
 
Security Patterns for Microservice Architectures - SpringOne 2020
byMatt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
byMatt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
byMatt Raible
 
Full Stack Reactive with React and Spring WebFlux - Switzerland JUG 2020
byMatt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
byMatt Raible
 
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
byMatt Raible
 
Security Patterns for Microservice Architectures - Oktane20
byMatt Raible
 
Security Patterns for Microservice Architectures - London Java Community 2020
byMatt Raible
 
Java REST API Framework Comparison - UberConf 2021
byMatt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
byMatt Raible
 
Choose Your Own Adventure with JHipster & Kubernetes - Denver JUG 2020
byMatt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
byMatt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
byMatt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
byMatt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
byMatt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
byMatt Raible
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
byMatt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
byMatt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
byMatt Raible
 

Recently uploaded

PDF
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
PDF
2025_11_19 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
PDF
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
PDF
Presentation Empowerment Technology in ICT
byoryoseiii
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PPTX
Key Benefits of Odoo Customization Services
byCandidRoot Solutions Private Limited
 
PDF
DSD-INT 2025 Modernizing Hydrodynamics in Large Flood Forecasting System - Mi...
byDeltares
 
PDF
CCM_External_Sales_Commissions_Standard_Configuration_2022-3.pdf
byJayLJ
 
PDF
DSD-INT 2025 Exploring different domain decomposition approaches for enhanced...
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
PDF
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
PDF
ECFT Case Study: Digital Pilot Transportation System
byMobility Infotech
 
PDF
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
PDF
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
PDF
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
PDF
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
PDF
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
PDF
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
PDF
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 
Breaking the Vulnerability Management Cycle with Anchore and Echo
byAnchore
 
2025_11_19 - OpenMetadata Community Meeting.pdf
byOpenMetadata
 
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
Presentation Empowerment Technology in ICT
byoryoseiii
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
Key Benefits of Odoo Customization Services
byCandidRoot Solutions Private Limited
 
DSD-INT 2025 Modernizing Hydrodynamics in Large Flood Forecasting System - Mi...
byDeltares
 
CCM_External_Sales_Commissions_Standard_Configuration_2022-3.pdf
byJayLJ
 
DSD-INT 2025 Exploring different domain decomposition approaches for enhanced...
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
Fundamental of Information Systems introduction.pdf
byYeabsraLakew
 
DSD-INT 2025 REACT - Rapid E-flow Assessment and Communication Tool - Flores
byDeltares
 
ECFT Case Study: Digital Pilot Transportation System
byMobility Infotech
 
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
DSD-INT 2025 UK Coastal Flooding Incident Guide - Dam
byDeltares
 
DSD-INT 2025 Understanding the Paraguay River Response to Hard Bottom Dredgin...
byDeltares
 
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
DSD-INT 2025 Transport and Fate of Microplastics in Fluvial System (Rhine Riv...
byDeltares
 
DSD-INT 2025 The Singapore Regional Model in Delft3D FM - Zijl
byDeltares
 
DSD-INT 2025 3D Modeling of Shallow Water Dynamics Using Delft3D FM - Martins
byDeltares
 

Web App Security for Java Developers - PWX 2021

  • 1.
    Matt Raible |@mraible December 7, 2021 Web App Security for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas
  • 2.
    @mraible Who is MattRaible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  • 6.
  • 7.
    @mraible Today’s Agenda What isweb app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster
  • 8.
    What is webapp security?
  • 9.
    1. Use HTTPS 2.Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  • 10.
    @mraible 1. Use HTTPSEverywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
  • 11.
  • 12.
  • 13.
    HTTPS for StaticSites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https
  • 14.
  • 15.
    Force HTTPS inSpring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
  • 16.
    Force HTTPS inthe Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.requiresChannel()                         .requestMatchers(r - > r.getHeader("X-Forwarded-Proto") ! = null)                         .requiresSecure();         } }
  • 17.
    Force HTTPS inSpring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }
  • 18.
    Force HTTPS inSpring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect - > redirect .httpsRedirectWhen(e - > e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }
  • 19.
    @mraible “Why do weneed HTTPS  inside our network?”
  • 20.
  • 21.
  • 22.
  • 23.
    3. Use theLatest Releases
  • 24.
    How well doyou know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies
  • 25.
    Check for Updateswith npm npm i -g npm-check-updates ncu
  • 26.
    Check for Updateswith Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
  • 27.
    Check for Updateswith Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17" id("com.github.ben-manes.versions") version "0.39.0" . . . } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin
  • 28.
  • 29.
    HashiCorp Vault andAzure Key Vault
  • 30.
  • 31.
    5. Use aContent Security Policy
  • 32.
    Default Spring SecurityHeaders Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  • 33.
    Add a ContentSecurity Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.headers()                         .contentSecurityPolicy("script-src 'self' " +                                         "https: / / trustedscripts.example.com; " +                                         "object-src https: / / trustedplugins.example.com; " +                                         "report-uri /csp-report-endpoint/");         } }
  • 34.
    Test Your SecurityHeaders https://securityheaders.com
  • 35.
    @mraible 6. Use OAuth2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization
  • 36.
    @mraible Authorization Code FlowExample https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
  • 37.
    @mraible Does OAuth 2.0feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
  • 38.
    @mraible OAuth 2.1 tothe rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
  • 39.
  • 40.
    Configure CSRF Protectionwith Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {       @Override       protected void configure(HttpSecurity http) throws Exception {               http                       .csrf()                       .csrfTokenRepository(                               CookieCsrfTokenRepository.withHttpOnlyFalse());       } }
  • 41.
  • 42.
  • 43.
    1. Use HTTPS 2.Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  • 44.
  • 45.
    Curious About MicroserviceSecurity? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
  • 46.
    Or Auth SecurityPatterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs
  • 47.
  • 48.