SlideShare a Scribd company logo

Web App Security for Java Developers - UberConf 2021

Matt Raible, profile picture
Matt Raible

The document presents an overview of web app security specifically for Java developers, emphasizing seven essential strategies to enhance application security. Key recommendations include using HTTPS, scanning dependencies, keeping software up-to-date, securing secrets, implementing content security policies, utilizing OAuth 2.0 and OIDC, and preventing CSRF attacks. The author provides practical tips and coding examples for implementing these strategies using various frameworks such as Spring Boot and Angular.

Software
1 of 48
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Matt Raible | @mraible October 8, 2021 Web App Security for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas
@mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
Web App Security for Java Developers - UberConf 2021
developer.okta.com
@mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster
What is web app security?
1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
@mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
What is HTTPS? https://howhttps.works
How HTTPS Works https://howhttps.works
HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https
HTTPS is Easy!
Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.requiresChannel()                         .requestMatchers(r - > r.getHeader("X-Forwarded-Proto") ! = null)                         .requiresSecure();         } }
Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }
Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect - > redirect .httpsRedirectWhen(e - > e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }
@mraible “Why do we need HTTPS  inside our network?”
@mraible 2. Scan Your Dependencies
@mraible GitHub + Dependabot
@mraible Full-featured Dependency Scanners
3. Use the Latest Releases
How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies
Check for Updates with npm npm i -g npm-check-updates ncu
Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17" id("com.github.ben-manes.versions") version “0.39.0" . . . } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin
@mraible 4. Secure Your Secrets
HashiCorp Vault and Azure Key Vault
https://developer.okta.com/blog/2020/05/04/spring-vault Secure Secrets With Spring Cloud Config and Vault
5. Use a Content Security Policy
Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.headers()                         .contentSecurityPolicy("script-src 'self' " +                                         "https: / / trustedscripts.example.com; " +                                         "object-src https: / / trustedplugins.example.com; " +                                         "report-uri /csp-report-endpoint/");         } }
Test Your Security Headers https://securityheaders.com
@mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization
@mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
@mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
@mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
7. Prevent CSRF Attacks
Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {       @Override       protected void configure(HttpSecurity http) throws Exception {               http                       .csrf()                       .csrfTokenRepository(                               CookieCsrfTokenRepository.withHttpOnlyFalse());       } }
SameSite Cookies
@mraible Demos! 🍃 🅰 🤓
1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
developer.okta.com/blog @oktadev
Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs
Thanks! Keep in Touch raibledesigns.com @mraible Presentations speakerdeck.com/mraible Code github.com/oktadev developer.okta.com
developer.okta.com

More Related Content

PDF
Java Web Application Security - UberConf 2011
Matt Raible
 
PDF
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Matt Raible
 
PDF
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
Matt Raible
 
PDF
What's New in Spring 3.1
Matt Raible
 
PDF
Apache Roller, Acegi Security and Single Sign-on
Matt Raible
 
PDF
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
VMware Hyperic
 
PDF
Web App Security for Java Developers - PWX 2021
Matt Raible
 
PDF
Front End Development for Back End Java Developers - Jfokus 2020
Matt Raible
 
Java Web Application Security - UberConf 2011
Matt Raible
 
Use Angular Schematics to Simplify Your Life - Develop Denver 2019
Matt Raible
 
10 Excellent Ways to Secure Spring Boot Applications - Okta Webinar 2020
Matt Raible
 
What's New in Spring 3.1
Matt Raible
 
Apache Roller, Acegi Security and Single Sign-on
Matt Raible
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
VMware Hyperic
 
Web App Security for Java Developers - PWX 2021
Matt Raible
 
Front End Development for Back End Java Developers - Jfokus 2020
Matt Raible
 

What's hot (20)

PDF
Front End Development for Back End Developers - vJUG24 2017
Matt Raible
 
PDF
Java REST API Framework Comparison - PWX 2021
Matt Raible
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Matt Raible
 
PDF
Bootiful Development with Spring Boot and React - UberConf 2018
Matt Raible
 
PDF
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
PDF
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
Matt Raible
 
PDF
How to Win at UI Development in the World of Microservices - THAT Conference ...
Matt Raible
 
PDF
Clojure Web Development
Hong Jiang
 
PDF
JAX-RS JavaOne Hyderabad, India 2011
Shreedhar Ganapathy
 
PDF
A Gentle Introduction to Angular Schematics - Angular SF 2019
Matt Raible
 
PDF
Spark IT 2011 - Developing RESTful Web services with JAX-RS
Arun Gupta
 
PDF
Front End Development for Back End Java Developers - NYJavaSIG 2019
Matt Raible
 
PDF
Front End Development for Backend Developers - GIDS 2019
Matt Raible
 
PDF
Java Web Application Security - Utah JUG 2011
Matt Raible
 
PPT
Choosing a Java Web Framework
Will Iverson
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
PDF
Spring Boot APIs and Angular Apps: Get Hip with JHipster! KCDC 2019
Matt Raible
 
PDF
Seven Simple Reasons to Use AppFuse
Matt Raible
 
PDF
Hybrid Apps (Native + Web) via QtWebKit
Ariya Hidayat
 
PDF
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
 
Front End Development for Back End Developers - vJUG24 2017
Matt Raible
 
Java REST API Framework Comparison - PWX 2021
Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Sprin...
Matt Raible
 
Bootiful Development with Spring Boot and React - UberConf 2018
Matt Raible
 
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...
Matt Raible
 
A Gentle Introduction to Angular Schematics - Devoxx Belgium 2019
Matt Raible
 
How to Win at UI Development in the World of Microservices - THAT Conference ...
Matt Raible
 
Clojure Web Development
Hong Jiang
 
JAX-RS JavaOne Hyderabad, India 2011
Shreedhar Ganapathy
 
A Gentle Introduction to Angular Schematics - Angular SF 2019
Matt Raible
 
Spark IT 2011 - Developing RESTful Web services with JAX-RS
Arun Gupta
 
Front End Development for Back End Java Developers - NYJavaSIG 2019
Matt Raible
 
Front End Development for Backend Developers - GIDS 2019
Matt Raible
 
Java Web Application Security - Utah JUG 2011
Matt Raible
 
Choosing a Java Web Framework
Will Iverson
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Spring Boot APIs and Angular Apps: Get Hip with JHipster! KCDC 2019
Matt Raible
 
Seven Simple Reasons to Use AppFuse
Matt Raible
 
Hybrid Apps (Native + Web) via QtWebKit
Ariya Hidayat
 
JavaOne India 2011 - Running your Java EE 6 Apps in the Cloud
Arun Gupta
 
Ad

Similar to Web App Security for Java Developers - UberConf 2021 (20)

PDF
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Matt Raible
 
PDF
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
 
PDF
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
VMware Tanzu
 
PDF
Java Web Application Security - Denver JUG 2013
Matt Raible
 
PDF
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
PDF
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PDF
Spring4 security
Sang Shin
 
PDF
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
PDF
Draft Hammer Oauth 10
Vishal Shah
 
PDF
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
PDF
Draft Ietf Oauth V2 12
Vishal Shah
 
PDF
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
Nordic APIs
 
PDF
Java Web Application Security - Jazoon 2011
Matt Raible
 
PDF
Bufferauthentication
Vishal Shah
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PDF
Building a secure BFF at Postman
Ankit Muchhala
 
PDF
Best Practices in Building an API Security Ecosystem
WSO2
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra - Devne...
Matt Raible
 
Lock That Shit Down! Auth Security Patterns for Apps, APIs, and Infra - Joker...
Matt Raible
 
Lock That Sh*t Down! Auth Security Patterns for Apps, APIs, and Infra
VMware Tanzu
 
Java Web Application Security - Denver JUG 2013
Matt Raible
 
JHipster and Okta - JHipster Virtual Meetup December 2020
Matt Raible
 
Secured REST Microservices with Spring Cloud
Orkhan Gasimov
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
apidays
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Spring4 security
Sang Shin
 
Oauth Nightmares Abstract OAuth Nightmares
Nino Ho
 
Draft Hammer Oauth 10
Vishal Shah
 
Java Web Application Security with Java EE, Spring Security and Apache Shiro ...
Matt Raible
 
Draft Ietf Oauth V2 12
Vishal Shah
 
Who Needs That FAPI Thing, Anyway? - Michal Trojanowski, Curity
Nordic APIs
 
Java Web Application Security - Jazoon 2011
Matt Raible
 
Bufferauthentication
Vishal Shah
 
Securing RESTful API
Muhammad Zbeedat
 
Building a secure BFF at Postman
Ankit Muchhala
 
Best Practices in Building an API Security Ecosystem
WSO2
 
Building an API Security Ecosystem
Prabath Siriwardena
 
Ad

More from Matt Raible (20)

PDF
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Belfast JUG 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Dublin JUG 2022
Matt Raible
 
PDF
Micro Frontends for Java Microservices - Cork JUG 2022
Matt Raible
 
PDF
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Matt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Matt Raible
 
PDF
Comparing Native Java REST API Frameworks - Devoxx France 2022
Matt Raible
 
PDF
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Matt Raible
 
PDF
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Matt Raible
 
PDF
Java REST API Framework Comparison - UberConf 2021
Matt Raible
 
PDF
Native Java with Spring Boot and JHipster - SF JUG 2021
Matt Raible
 
PDF
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Matt Raible
 
PDF
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Matt Raible
 
PDF
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
PDF
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
PDF
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Matt Raible
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Matt Raible
 
PDF
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
PDF
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Matt Raible
 
PDF
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 
Keep Identities in Sync the SCIMple Way - ApacheCon NA 2022
Matt Raible
 
Micro Frontends for Java Microservices - Belfast JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Dublin JUG 2022
Matt Raible
 
Micro Frontends for Java Microservices - Cork JUG 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Seattle JUG 2022
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Spring I/O 2022
Matt Raible
 
Comparing Native Java REST API Frameworks - Devoxx France 2022
Matt Raible
 
Native Java with Spring Boot and JHipster - Garden State JUG 2021
Matt Raible
 
Mobile App Development with Ionic, React Native, and JHipster - Connect.Tech ...
Matt Raible
 
Java REST API Framework Comparison - UberConf 2021
Matt Raible
 
Native Java with Spring Boot and JHipster - SF JUG 2021
Matt Raible
 
Reactive Java Microservices with Spring Boot and JHipster - Denver JUG 2021
Matt Raible
 
Get Hip with JHipster - Colorado Springs Open Source User Group 2021
Matt Raible
 
Java REST API Comparison: Micronaut, Quarkus, and Spring Boot - jconf.dev 2020
Matt Raible
 
Security Patterns for Microservice Architectures - SpringOne 2020
Matt Raible
 
Security Patterns for Microservice Architectures - ADTMag Microservices & API...
Matt Raible
 
Microservices for the Masses with Spring Boot, JHipster, and OAuth - South We...
Matt Raible
 
Security Patterns for Microservice Architectures - London Java Community 2020
Matt Raible
 
Mobile Development with Ionic, React Native, and JHipster - AllTheTalks 2020
Matt Raible
 
Security Patterns for Microservice Architectures - Oktane20
Matt Raible
 

Recently uploaded (20)

PDF
QAware_Mario-Leander_Reimer_Architecting and Building a K8s-based AI Platform...
QAware GmbH
 
PDF
Key Features to Look for in Arizona App Development Services
Net-Craft.com
 
PPTX
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
PPTX
TestNG for Java Testing and Automation testing
ssuser0213cb
 
PDF
PFAS Reporting Requirements 2026 Are You Submission Ready Certivo.pdf
Certivo Inc
 
PPTX
Presentation about variables and constant.pptx
safalsingh810
 
PDF
Jenkins: An open-source automation server powering CI/CD Automation
SaikatBasu37
 
PDF
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
PDF
Protecting the Digital World Cyber Securit
dnthakkar16
 
PDF
ShowUs: Pharo Stream Deck (ESUG 2025, Gdansk)
ESUG
 
PDF
Build Multi-agent using Agent Development Kit
FadyIbrahim23
 
PPTX
Services offered by Dynamic Solutions in Pakistan
DaniyaalAdeemShibli1
 
PPTX
Explanation about Structures in C language.pptx
Veeral Rathod
 
PPTX
PFAS Reporting Requirements 2026 Are You Submission Ready Certivo.pptx
Certivo Inc
 
PDF
Exploring AI Agents in Process Industries
amoreira6
 
PDF
How to Seamlessly Integrate Salesforce Data Cloud with Marketing Cloud.pdf
NSIQINFOTECH
 
PPTX
Visualising Data with Scatterplots in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
Multi-factor Authentication (MFA) requirement for Microsoft 365 Admin Center_...
Q-Advise
 
PDF
Appium Automation Testing Tutorial PDF: Learn Mobile Testing in 7 Days
jamescantor38
 
PDF
Why Use Open Source Reporting Tools for Business Intelligence.pdf
Varsha Nayak
 
QAware_Mario-Leander_Reimer_Architecting and Building a K8s-based AI Platform...
QAware GmbH
 
Key Features to Look for in Arizona App Development Services
Net-Craft.com
 
ASSIGNMENT_1[1][1][1][1][1] (1) variables.pptx
kr2589474
 
TestNG for Java Testing and Automation testing
ssuser0213cb
 
PFAS Reporting Requirements 2026 Are You Submission Ready Certivo.pdf
Certivo Inc
 
Presentation about variables and constant.pptx
safalsingh810
 
Jenkins: An open-source automation server powering CI/CD Automation
SaikatBasu37
 
lesson-2-rules-of-netiquette.pdf.bshhsjdj
jasmenrojas249
 
Protecting the Digital World Cyber Securit
dnthakkar16
 
ShowUs: Pharo Stream Deck (ESUG 2025, Gdansk)
ESUG
 
Build Multi-agent using Agent Development Kit
FadyIbrahim23
 
Services offered by Dynamic Solutions in Pakistan
DaniyaalAdeemShibli1
 
Explanation about Structures in C language.pptx
Veeral Rathod
 
PFAS Reporting Requirements 2026 Are You Submission Ready Certivo.pptx
Certivo Inc
 
Exploring AI Agents in Process Industries
amoreira6
 
How to Seamlessly Integrate Salesforce Data Cloud with Marketing Cloud.pdf
NSIQINFOTECH
 
Visualising Data with Scatterplots in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Multi-factor Authentication (MFA) requirement for Microsoft 365 Admin Center_...
Q-Advise
 
Appium Automation Testing Tutorial PDF: Learn Mobile Testing in 7 Days
jamescantor38
 
Why Use Open Source Reporting Tools for Business Intelligence.pdf
Varsha Nayak
 

Web App Security for Java Developers - UberConf 2021

  • 1. Matt Raible | @mraible October 8, 2021 Web App Security for Java Developers Photo by Michiel Leunens on https://unsplash.com/photos/fBB7FeS4Xas
  • 2. @mraible Who is Matt Raible? Father, Husband, Skier, Mountain Biker, Whitewater Rafter Bus Lover Web Developer and Java Champion Okta Developer Advocate Blogger on raibledesigns.com and developer.okta.com/blog @mraible
  • 7. @mraible Today’s Agenda What is web app security? 7 simple ways to better app security 3 quick demos 🍃 Spring Boot 🅰 Angular 🤓 JHipster
  • 8. What is web app security?
  • 9. 1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  • 10. @mraible 1. Use HTTPS Everywhere! Let’s Encrypt offers free HTTPS certificates certbot can be used to generate certificates mkcert can be used to create localhost certificates Spring Boot Starter ACME for automating certificates
  • 13. HTTPS for Static Sites too! https://www.troyhunt.com/heres-why-your-static-website-needs-https
  • 15. Force HTTPS in Spring Boot @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.requiresChannel().anyRequest().requiresSecure(); } }
  • 16. Force HTTPS in the Cloud @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.requiresChannel()                         .requestMatchers(r - > r.getHeader("X-Forwarded-Proto") ! = null)                         .requiresSecure();         } }
  • 17. Force HTTPS in Spring WebFlux @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(withDefaults()); return http.build(); } }
  • 18. Force HTTPS in Spring WebFlux + Cloud @EnableWebFluxSecurity public class SecurityConfiguration { @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { http.redirectToHttps(redirect - > redirect .httpsRedirectWhen(e - > e.getRequest().getHeaders().containsKey("X-Forwarded-Proto")) ); return http.build(); } }
  • 19. @mraible “Why do we need HTTPS  inside our network?”
  • 20. @mraible 2. Scan Your Dependencies
  • 23. 3. Use the Latest Releases
  • 24. How well do you know your dependencies? Dependency Health Indirect Dependencies Regular Releases Regular commits Dependencies
  • 25. Check for Updates with npm npm i -g npm-check-updates ncu
  • 26. Check for Updates with Maven mvn versions:display-dependency-updates https://www.mojohaus.org/versions-maven-plugin
  • 27. Check for Updates with Gradle plugins { id("se.patrikerdes.use-latest-versions") version "0.2.17" id("com.github.ben-manes.versions") version “0.39.0" . . . } $ ./gradlew useLatestVersions https://github.com/patrikerdes/gradle-use-latest-versions-plugin
  • 29. HashiCorp Vault and Azure Key Vault
  • 31. 5. Use a Content Security Policy
  • 32. Default Spring Security Headers Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
  • 33. Add a Content Security Policy with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {         @Override         protected void configure(HttpSecurity http) throws Exception {                 http.headers()                         .contentSecurityPolicy("script-src 'self' " +                                         "https: / / trustedscripts.example.com; " +                                         "object-src https: / / trustedplugins.example.com; " +                                         "report-uri /csp-report-endpoint/");         } }
  • 34. Test Your Security Headers https://securityheaders.com
  • 35. @mraible 6. Use OAuth 2.0 and OpenID Connect OpenID Connect OAuth 2.0 HTTP OpenID Connect is for authentication 
 OAuth 2.0 is for authorization
  • 36. @mraible Authorization Code Flow Example https://developer.okta.com/blog/2019/08/28/reactive-microservices-spring-cloud-gateway
  • 37. @mraible Does OAuth 2.0 feel like a maze of specs? https://aaronparecki.com/2019/12/12/21/its-time-for-oauth-2-dot-1
  • 38. @mraible OAuth 2.1 to the rescue! https://oauth.net/2.1 PKCE is required for all clients using the authorization code flow Redirect URIs must be compared using exact string matching The Implicit grant is omitted from this specification The Resource Owner Password Credentials grant is omitted from this specification Bearer token usage omits the use of bearer tokens in the query string of URIs Refresh tokens for public clients must either be sender-constrained or one-time use
  • 39. 7. Prevent CSRF Attacks
  • 40. Configure CSRF Protection with Spring Security @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter {       @Override       protected void configure(HttpSecurity http) throws Exception {               http                       .csrf()                       .csrfTokenRepository(                               CookieCsrfTokenRepository.withHttpOnlyFalse());       } }
  • 43. 1. Use HTTPS 2. Scan your dependencies 3. Use the latest releases 4. Secure your secrets Recap: 7 Simple Ways to Better Web App Security 5. Use a Content Security Policy 6. Use OAuth 2.0 and OIDC 7. Prevent Cross-site request forgery (CSRF)
  • 45. Curious About Microservice Security? https://developer.okta.com/blog/2020/03/23/microservice-security-patterns
  • 46. Or Auth Security Patterns? https://bit.ly/mraible-springone-2021 https://youtu.be/CebTJ7Nq1Hs