SlideShare a Scribd company logo

Web App Security for Java Developers - PWX 2021

Matt Raible
Matt Raible

The document presents a guide on web app security specifically for Java developers, outlining seven key practices such as using HTTPS, scanning dependencies, and employing OAuth 2.0 for authentication. It also includes technical configurations and code snippets for implementing these security measures in Spring Boot and other frameworks. Additionally, it emphasizes the importance of content security policies and preventing cross-site request forgery (CSRF) attacks.

Software
1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Matt Raible | @mraible December 7, 2021 Web App Security for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas
@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
Web App Security for Java Developers - PWX 2021
developer.okta.com
@mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster
What is web app security?
1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
@mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
What is HTTPS? https://howhttps.works
How HTTPS Works https://howhttps.works
HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https
HTTPS is Easy!
Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.requiresChannel()                         .requestMatchers(r - > r.getHeader("X-Forwarded-Proto") ! = null)                         .requiresSecure();         } }
Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }
Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect - > redirect .httpsRedirectWhen(e - > e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }
@mraible “Why do we need HTTPS  inside our network?”
@mraible 2. Scan Your Dependencies
@mraible GitHub + Dependabot
@mraible Full-featured Dependency Scanners
3. Use the Latest Releases
How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies
Check for Updates with npm npm i -g npm-check-updates ncu
Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17" id("com.github.ben-manes.versions") version "0.39.0" . . . } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin
@mraible 4. Secure Your Secrets
HashiCorp Vault and Azure Key Vault
https://developer.okta.com/blog/2020/05/04/spring-vault Secure Secrets With Spring Cloud Config and Vault
5. Use a Content Security Policy
Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.headers()                         .contentSecurityPolicy("script-src 'self' " +                                         "https: / / trustedscripts.example.com; " +                                         "object-src https: / / trustedplugins.example.com; " +                                         "report-uri /csp-report-endpoint/");         } }
Test Your Security Headers https://securityheaders.com
@mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization
@mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
7. Prevent CSRF Attacks
Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {       @Override       protected void configure(HttpSecurity http) throws Exception {               http                       .csrf()                       .csrfTokenRepository(                               CookieCsrfTokenRepository.withHttpOnlyFalse());       } }
SameSite Cookies
@mraible Demos! 🍃 🅰 🤓
1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
developer.okta.com/blog @oktadev
Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs
Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev developer.okta.com
developer.okta.com

More Related Content

What's hot (20)

PDF
Web App Security for Java Developers - UberConf 2021
Matt Raible
 
PDF
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Matt Raible
 
PDF
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
PDF
Java Web Application Security - Utah JUG 2011
Matt Raible
 
PDF
What's New in Spring 3.1
Matt Raible
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
PDF
Front End Development for Back End Java Developers - Jfokus 2020
Matt Raible
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
PDF
Front End Development for Back End Developers - vJUG24 2017
Matt Raible
 
PDF
Java REST API Framework Comparison - PWX 2021
Matt Raible
 
PDF
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
PDF
JAX-RS JavaOne Hyderabad, India 2011
Shreedhar Ganapathy
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
PDF
Spark IT 2011 - Developing RESTful Web services with JAX-RS
Arun Gupta
 
PDF
Bootiful Development with Spring Boot and React - UberConf 2018
Matt Raible
 
PDF
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Matt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Matt Raible
 
PPT
Choosing a Java Web Framework
Will Iverson
 
PDF
How to Win at UI Development in the World of Microservices - THAT Conference ...
Matt Raible
 
PDF
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 
Web App Security for Java Developers - UberConf 2021
Matt Raible
 
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Matt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
Java Web Application Security - Utah JUG 2011
Matt Raible
 
What's New in Spring 3.1
Matt Raible
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Front End Development for Back End Java Developers - Jfokus 2020
Matt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
Front End Development for Back End Developers - vJUG24 2017
Matt Raible
 
Java REST API Framework Comparison - PWX 2021
Matt Raible
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
JAX-RS JavaOne Hyderabad, India 2011
Shreedhar Ganapathy
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
Arun Gupta
 
Bootiful Development with Spring Boot and React - UberConf 2018
Matt Raible
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Matt Raible
 
Choosing a Java Web Framework
Will Iverson
 
How to Win at UI Development in the World of Microservices - THAT Conference ...
Matt Raible
 
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
 

Similar to Web App Security for Java Developers - PWX 2021 (20)

PDF
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
PDF
Rails security: above and beyond the defaults
Matias Korhonen
 
PDF
Security Patterns for Microservice Architectures
VMware Tanzu
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
PDF
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
PDF
AWS Study Group - Chapter 01 - Introducing AWS [Solution Architect Associate ...
QCloudMentor
 
PDF
Java script and web cryptography (cf.objective)
ColdFusionConference
 
PDF
Rails and Content Security Policies
Matias Korhonen
 
PDF
Csp and http headers
devObjective
 
PDF
Csp and http headers
ColdFusionConference
 
PPTX
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 
PDF
HTTP_Header_Security.pdf
ksudhakarreddy5
 
PDF
Java Web Application Security - Denver JUG 2013
Matt Raible
 
PDF
Evolving web security model v1.1 - Portland OWASP May 29 2014
imelven
 
PDF
Designing Secure APIs in the Cloud
Postman
 
PPTX
Android pentesting the hackers-meetup
kunwaratul hax0r
 
PDF
10 things I’ve learnt about web application security
James Crowley
 
PPTX
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Vietnam Open Infrastructure User Group
 
PPTX
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
Rails security: above and beyond the defaults
Matias Korhonen
 
Security Patterns for Microservice Architectures
VMware Tanzu
 
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Web Security - CSP & Web Cryptography
Samsung Open Source Group
 
AWS Study Group - Chapter 01 - Introducing AWS [Solution Architect Associate ...
QCloudMentor
 
Java script and web cryptography (cf.objective)
ColdFusionConference
 
Rails and Content Security Policies
Matias Korhonen
 
Csp and http headers
devObjective
 
Csp and http headers
ColdFusionConference
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 
HTTP_Header_Security.pdf
ksudhakarreddy5
 
Java Web Application Security - Denver JUG 2013
Matt Raible
 
Evolving web security model v1.1 - Portland OWASP May 29 2014
imelven
 
Designing Secure APIs in the Cloud
Postman
 
Android pentesting the hackers-meetup
kunwaratul hax0r
 
10 things I’ve learnt about web application security
James Crowley
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Vietnam Open Infrastructure User Group
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
Ad

More from Matt Raible (19)

PDF
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Belfast JUG 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Dublin JUG 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Cork JUG 2022
Matt Raible
 
PDF
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Matt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Matt Raible
 
PDF
Comparing Native Java REST API Frameworks - Devoxx France 2022
Matt Raible
 
PDF
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Matt Raible
 
PDF
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Matt Raible
 
PDF
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Matt Raible
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
 
PDF
Java REST API Framework Comparison - UberConf 2021
Matt Raible
 
PDF
Native Java with Spring Boot and JHipster - SF JUG 2021
Matt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Matt Raible
 
PDF
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Matt Raible
 
PDF
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Matt Raible
 
PDF
Full Stack Reactive with React and Spring WebFlux - Switzerland JUG 2020
Matt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Matt Raible
 
PDF
Choose Your Own Adventure with JHipster & Kubernetes - Denver JUG 2020
Matt Raible
 
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Matt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
Matt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Matt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Matt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
 
Java REST API Framework Comparison - UberConf 2021
Matt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Matt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Matt Raible
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Matt Raible
 
Full Stack Reactive with React and Spring WebFlux - Switzerland JUG 2020
Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - Switzerl...
Matt Raible
 
Choose Your Own Adventure with JHipster & Kubernetes - Denver JUG 2020
Matt Raible
 
Ad

Recently uploaded (20)

PPTX
Equipment Management Software BIS Safety UK.pptx
BIS Safety Software
 
PDF
Powering GIS with FME and VertiGIS - Peak of Data & AI 2025
Safe Software
 
PPTX
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
DOCX
Import Data Form Excel to Tally Services
Tally xperts
 
PDF
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
PPTX
Java Native Memory Leaks: The Hidden Villain Behind JVM Performance Issues
Tier1 app
 
PDF
Executive Business Intelligence Dashboards
vandeslie24
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
PDF
Efficient, Automated Claims Processing Software for Insurers
Insurance Tech Services
 
PPTX
A Complete Guide to Salesforce SMS Integrations Build Scalable Messaging With...
360 SMS APP
 
PPTX
Human Resources Information System (HRIS)
Amity University, Patna
 
PPTX
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
PDF
Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025
hashhshs786
 
PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PDF
Beyond Binaries: Understanding Diversity and Allyship in a Global Workplace -...
Imma Valls Bernaus
 
PDF
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PDF
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
PDF
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 
Equipment Management Software BIS Safety UK.pptx
BIS Safety Software
 
Powering GIS with FME and VertiGIS - Peak of Data & AI 2025
Safe Software
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pptx
Varsha Nayak
 
Import Data Form Excel to Tally Services
Tally xperts
 
MiniTool Partition Wizard 12.8 Crack License Key LATEST
hashhshs786
 
Java Native Memory Leaks: The Hidden Villain Behind JVM Performance Issues
Tier1 app
 
Executive Business Intelligence Dashboards
vandeslie24
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
Efficient, Automated Claims Processing Software for Insurers
Insurance Tech Services
 
A Complete Guide to Salesforce SMS Integrations Build Scalable Messaging With...
360 SMS APP
 
Human Resources Information System (HRIS)
Amity University, Patna
 
Platform for Enterprise Solution - Java EE5
abhishekoza1981
 
Capcut Pro Crack For PC Latest Version {Fully Unlocked} 2025
hashhshs786
 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
Beyond Binaries: Understanding Diversity and Allyship in a Global Workplace -...
Imma Valls Bernaus
 
Salesforce CRM Services.VALiNTRY360
VALiNTRY360
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
Build It, Buy It, or Already Got It? Make Smarter Martech Decisions
bbedford2
 
Linux Certificate of Completion - LabEx Certificate
VICTOR MAESTRE RAMIREZ
 

Web App Security for Java Developers - PWX 2021

  • 1. Matt Raible | @mraible December 7, 2021 Web App Security for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas
  • 2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  • 7. @mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster
  • 8. What is web app security?
  • 9. 1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  • 10. @mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
  • 13. HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https
  • 15. Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
  • 16. Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.requiresChannel()                         .requestMatchers(r - > r.getHeader("X-Forwarded-Proto") ! = null)                         .requiresSecure();         } }
  • 17. Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }
  • 18. Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect - > redirect .httpsRedirectWhen(e - > e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }
  • 19. @mraible “Why do we need HTTPS  inside our network?”
  • 20. @mraible 2. Scan Your Dependencies
  • 23. 3. Use the Latest Releases
  • 24. How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies
  • 25. Check for Updates with npm npm i -g npm-check-updates ncu
  • 26. Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
  • 27. Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17" id("com.github.ben-manes.versions") version "0.39.0" . . . } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin
  • 29. HashiCorp Vault and Azure Key Vault
  • 31. 5. Use a Content Security Policy
  • 32. Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  • 33. Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.headers()                         .contentSecurityPolicy("script-src 'self' " +                                         "https: / / trustedscripts.example.com; " +                                         "object-src https: / / trustedplugins.example.com; " +                                         "report-uri /csp-report-endpoint/");         } }
  • 34. Test Your Security Headers https://securityheaders.com
  • 35. @mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization
  • 36. @mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
  • 37. @mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
  • 38. @mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
  • 39. 7. Prevent CSRF Attacks
  • 40. Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {       @Override       protected void configure(HttpSecurity http) throws Exception {               http                       .csrf()                       .csrfTokenRepository(                               CookieCsrfTokenRepository.withHttpOnlyFalse());       } }
  • 43. 1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  • 45. Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
  • 46. Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs