Introduction
Your team has built a sophisticated Spring Boot microservices architecture serving enterprise clients. The framework's convention-over-configuration approach accelerated development, but one day you discover attackers exploiting an exposed actuator endpoint to extract environment variables—including database credentials and API keys.
Spring Boot applications face unique security challenges. Actuator endpoints can expose sensitive operational data, auto-configured security may not match your requirements, and the framework's flexibility means developers must make deliberate security decisions. This guide covers essential Spring Security configuration, common vulnerability patterns, and why AI-agentic testing provides comprehensive coverage for Spring Boot applications.
Understanding the Risk
Spring Boot vulnerabilities often stem from misconfiguration rather than code defects.
Exposed Actuator Endpoints: Spring Boot Actuator provides operational endpoints for monitoring:
# Dangerous: Exposes all actuator endpoints
management:
endpoints:
web:
exposure:
include: "*"The /env endpoint reveals environment variables, /heapdump can leak memory contents.
Insufficient Authentication Rules: Spring Security's filter chain requires careful configuration:
// Vulnerable: Order matters - permitAll() before authenticated()
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/**").permitAll() // Catches everything
.requestMatchers("/admin/**").authenticated() // Never reached
);Mass Assignment: Spring's data binding automatically maps request parameters to objects:
// Vulnerable: Binds all request parameters to User object
@PostMapping("/profile")
public void updateProfile(@ModelAttribute User user) {
userRepository.save(user); // Attacker could set user.role = "ADMIN"
}Prevention Best Practices
Secure Actuator Configuration
Limit actuator exposure and require authentication:
management:
endpoints:
web:
exposure:
include: health,info,metrics
base-path: /internal/actuator
endpoint:
health:
show-details: when_authorized
env:
enabled: false
heapdump:
enabled: falseSecure actuator endpoints with Spring Security:
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(auth -> auth
.requestMatchers("/internal/actuator/**").hasRole("ADMIN")
.requestMatchers("/api/public/**").permitAll()
.requestMatchers("/api/**").authenticated()
.anyRequest().denyByDefault()
).httpBasic(Customizer.withDefaults());
return http.build();
}
}Input Validation and Output Encoding
Use validation annotations and DTOs to control data binding:
public class UserUpdateRequest {
@NotBlank
@Size(max = 100)
private String name;
@Email
private String email;
}
@PostMapping("/profile")
public ResponseEntity<?> updateProfile(
@Valid @RequestBody UserUpdateRequest request,
@AuthenticationPrincipal UserDetails user) {
User existingUser = userService.findByUsername(user.getUsername());
existingUser.setName(request.getName());
existingUser.setEmail(request.getEmail());
userService.save(existingUser);
return ResponseEntity.ok().build();
}Preventing SQL Injection
Use parameterized queries with JPA:
// Safe: Parameterized query
@Query("SELECT u FROM User u WHERE u.email = :email")
User findByEmail(@Param("email") String email);
// Vulnerable: String concatenation - NEVER do this
@Query("SELECT u FROM User u WHERE u.email = '" + email + "'")Security Headers
Configure comprehensive security headers:
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.headers(headers -> headers
.contentSecurityPolicy(csp -> csp
.policyDirectives("default-src 'self'; script-src 'self'")
)
.referrerPolicy(referrer -> referrer
.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
)
.frameOptions(frame -> frame.deny())
);
return http.build();
}Proper Authentication Configuration
Configure authentication with appropriate password encoding:
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder(12);
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
).csrf(csrf -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
);
return http.build();
}Why Traditional Pentesting Falls Short
Spring Boot applications involve complex configurations across multiple files, with security behavior determined by annotation processing, auto-configuration, and filter chain ordering. Manual testers may identify obvious misconfigurations but struggle to comprehensively test all endpoints against various authentication states and role combinations.
How AI-Agentic Testing Solves It
RedVeil's AI agents understand Spring Boot conventions and systematically test for framework-specific vulnerabilities. The platform probes actuator endpoints, tests authentication bypass scenarios across role configurations, and validates that security filters apply correctly to all routes.
Testing runs on-demand, allowing teams to validate security after configuration changes or Spring Boot version upgrades. RedVeil provides clear evidence when vulnerabilities exist, showing exactly how an attacker could exploit misconfigurations.
Conclusion
Spring Boot's productivity benefits come with security responsibilities. Actuator exposure, authentication misconfigurations, and input validation gaps create attack opportunities that frameworks cannot prevent automatically. Deliberate security configuration, following established patterns, significantly reduces risk.
AI-agentic testing validates that your Spring Security configuration actually provides the protection you intend.
Validate your Spring Boot security with RedVeil—start testing now.