Spring Boot Security Guidelines

Apply Spring Boot security best practices with secure-by-default API boundaries.

What is covered in this Skill?

• Spring Security configuration and SecurityFilterChain setup
• Authentication and authorization policies for endpoints
• Method-level security (@PreAuthorize / @Secured)
• Principle of least privilege for roles and scopes
• Secure error handling and denial responses
• Sensitive data handling in logs and responses

Scope: Apply recommendations based on the reference rules and good/bad examples.

Constraints

Before applying security changes, ensure the project compiles. After improvements, run full verification.

• MANDATORY: Run ./mvnw compile or mvn compile before applying any change
• SAFETY: If compilation fails, stop immediately
• VERIFY: Run ./mvnw clean verify or mvn clean verify after applying improvements
• BEFORE APPLYING: Read the reference for detailed rules and examples

When to use this skill

• Add Spring Boot security support
• Review Spring Boot security configuration
• Improve API authorization in Spring Boot
• Add JWT resource server security in Spring Boot
• Harden Spring Boot security headers and CSRF settings
• Implement method security with @PreAuthorize in Spring Boot

Workflow

1. Read reference and assess project context

Read references/304-frameworks-spring-boot-security.md and inspect the current project setup before proposing changes.

2. Gather scope and decide target improvements

Identify requested outcomes, constraints, and the minimum safe set of changes to apply.

3. Apply framework-aligned changes

Implement or refactor security-related configuration/code following the reference patterns and project conventions.

4. Run verification and report results

Execute appropriate build/tests and summarize what changed, what was verified, and any follow-up actions.

Reference

For detailed guidance, examples, and constraints, see references/304-frameworks-spring-boot-security.md.