19 Rules
| ID | Name | Severity |
|---|---|---|
| 1040002 | Avoid disabling CSRF Protection (Spring Security) |
critical
|
| 1040006 | Always set Content-Security-Policy for spring application |
high
|
| 1040008 | Ensure declaring formLogin after requesting authorization and authentication |
high
|
| 1040010 | Always delete the cookies during the logout (Spring) |
high
|
| 1040012 | HTTP user session must be invalidated during logout |
critical
|
| 1040014 | Avoid using Spring Security's debug mode |
medium
|
| 1040016 | PermitAll or user role should be specified to access URL(s) of the application |
high
|
| 1040018 | Ensure the X-Frame-Options header is setup (Spring) |
high
|
| 1040024 | Spring Boot Shutdown Actuator Endpoint must be secured from unauthenticated access. |
high
|
| 1040026 | Avoid not providing an explicit HTTP method in @RequestMapping methods |
critical
|
| 1040030 | Avoid Using Generic Authentication Exception Class |
medium
|
| 1040032 | Avoid Using ControllerAdvice And HandlerExceptionResolver simultaneously |
medium
|
| 1040034 | StrictHttpFirewall should be set as Http Firewall before Spring Security 5.0.1, 4.2.4, and 4.1.5 |
critical
|
| 1040036 | Avoid using STOMP Spring messaging module before Spring 5.0.5 and 4.3.16 |
critical
|
| 1040038 | Avoid using Spring Security Path Matching Inconsistency before Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x |
medium
|
| 1040042 | Avoid using Spring Security in combination with Spring Framework 5.0.5 |
high
|
| 1040044 | Avoid using UnZipTransformer of spring-integration-zip prior to version 1.0.1 |
high
|
| 1040046 | Avoid weak encryption algorithm (Spring) |
critical
|
| 1040048 | Avoid unsafe object binding (Spring) |
high
|
