spring-boot
Safeguard articles tagged "spring-boot" — guides, analysis, and best practices for software supply chain and application security.
9 articles
Preventing mass assignment in Spring MVC and Spring Boot
CWE-915 mass assignment lets one extra JSON field turn a profile update into a privilege escalation — here's how DTOs beat @JsonIgnore in Spring.
Java DTOs for secure data handling
A single @RequestBody bound to a JPA entity can let attackers set fields like isAdmin — DTOs close that gap by design, not by discipline.
Using jlink to Build Minimal, Lower-Attack-Surface Java Docker Images
jlink has shipped with every JDK since Java 9 in 2017, yet most Spring Boot images still ship a full 300MB+ JDK. Here's how to fix that.
Robust input validation in Spring Boot: Bean Validation and its bypasses
Bean Validation (JSR-380) looks like a solved problem in Spring Boot, but nested DTOs, list elements, and unannotated service methods routinely skip validation silently.
The most common Spring Boot security misconfigurations, and how to fix them
CVE-2026-40976 let anonymous users hit /actuator/env and /actuator/heapdump on default Spring Boot 4 filter chains, CVSS 9.1 — here's how to actually harden Spring Boot.
Thymeleaf SSTI risk patterns: how a tab character bypassed a Java template sandbox
CVE-2026-40478 shows how a single tab character bypassed Thymeleaf's expression sandbox, turning misused templates into remote code execution.
Spring Boot Security Best Practices: Hardening the Defaults
Spring Boot's convenience defaults can quietly widen your attack surface. Here's how to harden actuators, dependencies, and auto-configuration for 2026.
Spring Dependency Management Supply Chain
Spring Boot's dependency management is the unsung hero of the Java ecosystem, and it is also a supply chain seam worth understanding. Here is how BOMs, starters, and transitive version coercion shape what actually ships.
Spring Boot Security and Dependency Management
Securing Spring Boot applications with dependency management BOMs, vulnerability scanning, and hardened configurations.