Best practices for securing a public Java Spring-Boot web app





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I've got a public Java web app created with Spring Boot. I'm ready to release it to production and wanted to get some tips on making sure that it is as secure as possible.



It is basically a search engine that uses Apache Lucene in the backed and a lot of javascript in the front end. I am planning on deploying it to Amazon Web Services, while using my local machine as a backup/test enviroment.



Users can search and browse data. The frontend calls REST endpoints using Javascripts XMLHttpRequest to query the backend for content and then displays it to the user.



The app is completely public and there is no user authentication as of yet.



The app also persists user requests to a database for tracking purposes.



Here's what I've done so far to secure it:




  • Make sure that the REST endpoints fully verify that the parameters given to them in the requests are valid.


What I plan on doing:




  • Using HTTPS.

  • Verifying that any put request or url requests have a reasonable size.


What I am considering adding:




  • Limiting the number of requests a user can make in a given time period. (not sure if Spring-Boot already has a facility to do this, or I should implement this myself)

  • Use some kind of API key scheme to make sure that my endpoints are only accessed by my front end. (not sure if this is effective and don't yet know how to do this).


Is there anything else that I should consider doing? Do the things I listed above make sense?



Would greatly appreciate any tips on this.






rest spring-boot security web-applications







share|improve this question























  • To limit your endpoints to be reached only by your frontend, I would suggest looking at CORS. To look up it's Spring implementation and an example, see here. In any case, Spring comes with a fully equipped security framework: Spring Security.

    – Hasan Can Saral
    Jan 4 at 19:34











  • Your question is a little too broad for this site. I am voting to close it as such.

    – Paul Samsotha
    Jan 5 at 7:26


















0















I've got a public Java web app created with Spring Boot. I'm ready to release it to production and wanted to get some tips on making sure that it is as secure as possible.



It is basically a search engine that uses Apache Lucene in the backed and a lot of javascript in the front end. I am planning on deploying it to Amazon Web Services, while using my local machine as a backup/test enviroment.



Users can search and browse data. The frontend calls REST endpoints using Javascripts XMLHttpRequest to query the backend for content and then displays it to the user.



The app is completely public and there is no user authentication as of yet.



The app also persists user requests to a database for tracking purposes.



Here's what I've done so far to secure it:




  • Make sure that the REST endpoints fully verify that the parameters given to them in the requests are valid.


What I plan on doing:




  • Using HTTPS.

  • Verifying that any put request or url requests have a reasonable size.


What I am considering adding:




  • Limiting the number of requests a user can make in a given time period. (not sure if Spring-Boot already has a facility to do this, or I should implement this myself)

  • Use some kind of API key scheme to make sure that my endpoints are only accessed by my front end. (not sure if this is effective and don't yet know how to do this).


Is there anything else that I should consider doing? Do the things I listed above make sense?



Would greatly appreciate any tips on this.






rest spring-boot security web-applications







share|improve this question























  • To limit your endpoints to be reached only by your frontend, I would suggest looking at CORS. To look up it's Spring implementation and an example, see here. In any case, Spring comes with a fully equipped security framework: Spring Security.

    – Hasan Can Saral
    Jan 4 at 19:34











  • Your question is a little too broad for this site. I am voting to close it as such.

    – Paul Samsotha
    Jan 5 at 7:26














0












0








0


0






I've got a public Java web app created with Spring Boot. I'm ready to release it to production and wanted to get some tips on making sure that it is as secure as possible.



It is basically a search engine that uses Apache Lucene in the backed and a lot of javascript in the front end. I am planning on deploying it to Amazon Web Services, while using my local machine as a backup/test enviroment.



Users can search and browse data. The frontend calls REST endpoints using Javascripts XMLHttpRequest to query the backend for content and then displays it to the user.



The app is completely public and there is no user authentication as of yet.



The app also persists user requests to a database for tracking purposes.



Here's what I've done so far to secure it:




  • Make sure that the REST endpoints fully verify that the parameters given to them in the requests are valid.


What I plan on doing:




  • Using HTTPS.

  • Verifying that any put request or url requests have a reasonable size.


What I am considering adding:




  • Limiting the number of requests a user can make in a given time period. (not sure if Spring-Boot already has a facility to do this, or I should implement this myself)

  • Use some kind of API key scheme to make sure that my endpoints are only accessed by my front end. (not sure if this is effective and don't yet know how to do this).


Is there anything else that I should consider doing? Do the things I listed above make sense?



Would greatly appreciate any tips on this.






rest spring-boot security web-applications







share|improve this question














I've got a public Java web app created with Spring Boot. I'm ready to release it to production and wanted to get some tips on making sure that it is as secure as possible.



It is basically a search engine that uses Apache Lucene in the backed and a lot of javascript in the front end. I am planning on deploying it to Amazon Web Services, while using my local machine as a backup/test enviroment.



Users can search and browse data. The frontend calls REST endpoints using Javascripts XMLHttpRequest to query the backend for content and then displays it to the user.



The app is completely public and there is no user authentication as of yet.



The app also persists user requests to a database for tracking purposes.



Here's what I've done so far to secure it:




  • Make sure that the REST endpoints fully verify that the parameters given to them in the requests are valid.


What I plan on doing:




  • Using HTTPS.

  • Verifying that any put request or url requests have a reasonable size.


What I am considering adding:




  • Limiting the number of requests a user can make in a given time period. (not sure if Spring-Boot already has a facility to do this, or I should implement this myself)

  • Use some kind of API key scheme to make sure that my endpoints are only accessed by my front end. (not sure if this is effective and don't yet know how to do this).


Is there anything else that I should consider doing? Do the things I listed above make sense?



Would greatly appreciate any tips on this.






rest spring-boot security web-applications




rest spring-boot security web-applications






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 4 at 18:37









user48133user48133

97110




97110













  • To limit your endpoints to be reached only by your frontend, I would suggest looking at CORS. To look up it's Spring implementation and an example, see here. In any case, Spring comes with a fully equipped security framework: Spring Security.

    – Hasan Can Saral
    Jan 4 at 19:34











  • Your question is a little too broad for this site. I am voting to close it as such.

    – Paul Samsotha
    Jan 5 at 7:26



















  • To limit your endpoints to be reached only by your frontend, I would suggest looking at CORS. To look up it's Spring implementation and an example, see here. In any case, Spring comes with a fully equipped security framework: Spring Security.

    – Hasan Can Saral
    Jan 4 at 19:34











  • Your question is a little too broad for this site. I am voting to close it as such.

    – Paul Samsotha
    Jan 5 at 7:26

















To limit your endpoints to be reached only by your frontend, I would suggest looking at CORS. To look up it's Spring implementation and an example, see here. In any case, Spring comes with a fully equipped security framework: Spring Security.

– Hasan Can Saral
Jan 4 at 19:34





To limit your endpoints to be reached only by your frontend, I would suggest looking at CORS. To look up it's Spring implementation and an example, see here. In any case, Spring comes with a fully equipped security framework: Spring Security.

– Hasan Can Saral
Jan 4 at 19:34













Your question is a little too broad for this site. I am voting to close it as such.

– Paul Samsotha
Jan 5 at 7:26





Your question is a little too broad for this site. I am voting to close it as such.

– Paul Samsotha
Jan 5 at 7:26












0






active

oldest

votes












Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54044362%2fbest-practices-for-securing-a-public-java-spring-boot-web-app%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54044362%2fbest-practices-for-securing-a-public-java-spring-boot-web-app%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Monofisismo

Image
Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
Read more

Angular Downloading a file using contenturl with Basic Authentication

Image
0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
Read more

Olmecas

Image
Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
Read more