Use PreparedStatement to prevent SQL injection, avoid executing user input expressions, and whitelist verification of inputs; 2. Use mature frameworks such as Spring Security to manage authentication, use strong hash storage such as bcrypt, set the cookies of HttpOnly and Secure and regenerate the session ID; 3. Use OWASP Java Encoder to encode HTML and JavaScript contexts when output, set CSP header to limit the source of scripts, prohibit inline scripts and eval(); 4. Verify input uniformly on the server, use JSR-380 to annotate the verification parameters, limit file upload type and size, and verify file paths to prevent path traversal; 5. Use OWASP to use OWASP to uniformly verify input, use JSR-380 to annotate verification parameters, limit file upload type and size, and verify file paths to prevent path traversal; 5. Use OWASP to verify input uniformly, use JSR-380 to annotate verification parameters, limit file upload type and size, and verify file paths to prevent path traversal; 5. Use OWASP Dependency-Check regularly scans for dependency vulnerabilities, closes debugging information in the production environment, and configures security response headers such as X-Content-Type-Options, X-Frame-Options, HSTS, etc.; 6. Use @PreAuthorize to achieve RBAC permission control, and the backend checks permissions every time it requests to avoid directly exposing the database ID. It is recommended to use UUID. Security needs to run through the entire development process. Following the above specifications can effectively prevent common vulnerabilities and ensure the security of Java Web applications.
Writing secure Java Web applications is key to preventing data breaches, service outages, and malicious attacks. As web applications become increasingly complex, developers must follow a range of security coding specifications to reduce security risks. The following is a practical security coding guide for Java Web applications covering common vulnerabilities and best practices.
1. Prevent injection attacks (SQL, command, expression injection)
Injection is the top vulnerability type in OWASP Top 10 in the medium and long term. The attacker manipulates the backend logic by constructing malicious input.
Key measures:
-
Use precompiled statements (PreparedStatement)
Avoid splicing of SQL strings, always usePreparedStatementand parameter placeholders:String sql = "SELECT * FROM users WHERE username = ?"; try (PreparedStatement pstmt = connection.prepareStatement(sql)) { pstmt.setString(1, username); ResultSet rs = pstmt.executeQuery(); } Avoid dynamic execution of EL expressions or OGNL
Do not usejavax.el.ELProcessoror similar mechanism to execute expressions entered by users.
Input verification and whitelist filtering
Verify all user inputs, using whitelists to limit allowed characters or formats.
2. Correctly handle identity authentication and session management
Identity authentication is the first line of defense for access control, and improper implementation may lead to account hijacking.
Suggested practices:
Using a mature certification framework
Priority is given to using mature frameworks such as Spring Security and Apache Shiro to avoid implementing login logic by yourself.Secure password storage
Never store passwords explicitly. Use strong hashing algorithms (such as bcrypt, PBKDF2, Argon2):// PasswordEncoder using Spring Security @Autowired private PasswordEncoder passwordEncoder; String hashedPassword = passwordEncoder.encode(rawPassword);
Security Management Session
Set the session timeout time (such as 30 minutes without operation)
Use secure cookie attributes:
Cookie Cookie = new Cookie("JSESSIONID", sessionId); cookie.setHttpOnly(true); // Prevent XSS from reading cookie.setSecure(true); // Transfer cookie.setPath("/"); // Restrict paths
Avoid fixed session ID
Be sure to regenerate the session ID after logging in successfully to prevent session fixed attacks.
3. Defense Cross-Site Scripting (XSS)
XSS allows an attacker to execute malicious scripts in the user's browser, steal cookies, or impersonate users.
Protection strategy:
Output encoding
Perform appropriate encoding when outputting user data to HTML, JavaScript, URL contexts. Recommended to use OWASP Java Encoder:String safeOutput = Encode.forHtml(userInput); String safeScript = Encode.forJavaScript(userInput);
Setting up content security policy (CSP)
Restrict the source of executable scripts via HTTP response headers:Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com
Avoid inline scripts and
eval()
Try to use external JS files, and prohibit usingeval()andinnerHTMLto splice user content.
4. Verify and protect input and output (input verification and output cleaning)
All data from the client should be considered untrusted.
Implementation points:
Unified input verification layer
All request parameters are checked at the controller or service layer, and bean Validation (JSR-380):public class UserForm { @NotBlank @Email private String email; @Size(min = 6, max = 20) private String password; }Limit file upload type and size
- Check file extensions and MIME types (don't rely on frontend only)
- Save the uploaded file outside the web root directory
- Scan the file to contain malicious content
Avoid path traversal
Do not use user input directly as file path. Check whether the path is within the allowable range:Path baseDir = Paths.get("/safe/upload/dir").toAbsolutePath(); Path userFile = Paths.get(inputFilename).toAbsolutePath(); if (!userFile.startsWith(baseDir)) { throw new IllegalArgumentException("Invalid file path"); }
5. Security configuration and dependency management
Many vulnerabilities are caused by misconfiguration or the use of vulnerable third-party libraries.
Notes:
Regularly update the dependency library
Use the Maven/Gradle plug-in to check for dependency vulnerabilities, such as:<!-- Maven OWASP Dependency-Check --> <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>8.5.0</version> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>Close debug information and stack trace
Disable detailed error pages in production environments to avoid leaking system information.Configure security response header
Add the following HTTP security header:X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains
6. Access control and permission verification
Even if the user is logged in, it must be checked whether he has permission to perform the action.
Best Practices:
Implement role-based access control (RBAC)
Use the@PreAuthorizeannotation for Spring Security:@PreAuthorize("hasRole('ADMIN')") @DeleteMapping("/users/{id}") public ResponseEntity<?> deleteUser(@PathVariable Long id) { ... }Permission checks are performed every request
Even if the front end hides the button, the backend still needs to verify whether the current user can access the resource (preventing unauthorized access).Avoid exposing database ID directly
Consider using UUID or indirect references to reduce the risk of ID guessing.
Basically these core points. Security is not a one-time task, but a habit that runs through the entire process of development, testing and deployment. As long as you think about one more step when encoding, most common vulnerabilities can be avoided.
The above is the detailed content of Secure Coding Guidelines for Java Web Applications. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is the `enum` type in Java?
Jul 02, 2025 am 01:31 AM
Enums in Java are special classes that represent fixed number of constant values. 1. Use the enum keyword definition; 2. Each enum value is a public static final instance of the enum type; 3. It can include fields, constructors and methods to add behavior to each constant; 4. It can be used in switch statements, supports direct comparison, and provides built-in methods such as name(), ordinal(), values() and valueOf(); 5. Enumeration can improve the type safety, readability and flexibility of the code, and is suitable for limited collection scenarios such as status codes, colors or week.
What is the interface segregation principle?
Jul 02, 2025 am 01:24 AM
Interface Isolation Principle (ISP) requires that clients not rely on unused interfaces. The core is to replace large and complete interfaces with multiple small and refined interfaces. Violations of this principle include: an unimplemented exception was thrown when the class implements an interface, a large number of invalid methods are implemented, and irrelevant functions are forcibly classified into the same interface. Application methods include: dividing interfaces according to common methods, using split interfaces according to clients, and using combinations instead of multi-interface implementations if necessary. For example, split the Machine interfaces containing printing, scanning, and fax methods into Printer, Scanner, and FaxMachine. Rules can be relaxed appropriately when using all methods on small projects or all clients.
Asynchronous Programming Techniques in Modern Java
Jul 07, 2025 am 02:24 AM
Java supports asynchronous programming including the use of CompletableFuture, responsive streams (such as ProjectReactor), and virtual threads in Java19. 1.CompletableFuture improves code readability and maintenance through chain calls, and supports task orchestration and exception handling; 2. ProjectReactor provides Mono and Flux types to implement responsive programming, with backpressure mechanism and rich operators; 3. Virtual threads reduce concurrency costs, are suitable for I/O-intensive tasks, and are lighter and easier to expand than traditional platform threads. Each method has applicable scenarios, and appropriate tools should be selected according to your needs and mixed models should be avoided to maintain simplicity
Differences Between Callable and Runnable in Java
Jul 04, 2025 am 02:50 AM
There are three main differences between Callable and Runnable in Java. First, the callable method can return the result, suitable for tasks that need to return values, such as Callable; while the run() method of Runnable has no return value, suitable for tasks that do not need to return, such as logging. Second, Callable allows to throw checked exceptions to facilitate error transmission; while Runnable must handle exceptions internally. Third, Runnable can be directly passed to Thread or ExecutorService, while Callable can only be submitted to ExecutorService and returns the Future object to
Best Practices for Using Enums in Java
Jul 07, 2025 am 02:35 AM
In Java, enums are suitable for representing fixed constant sets. Best practices include: 1. Use enum to represent fixed state or options to improve type safety and readability; 2. Add properties and methods to enums to enhance flexibility, such as defining fields, constructors, helper methods, etc.; 3. Use EnumMap and EnumSet to improve performance and type safety because they are more efficient based on arrays; 4. Avoid abuse of enums, such as dynamic values, frequent changes or complex logic scenarios, which should be replaced by other methods. Correct use of enum can improve code quality and reduce errors, but you need to pay attention to its applicable boundaries.
Understanding Java NIO and Its Advantages
Jul 08, 2025 am 02:55 AM
JavaNIO is a new IOAPI introduced by Java 1.4. 1) is aimed at buffers and channels, 2) contains Buffer, Channel and Selector core components, 3) supports non-blocking mode, and 4) handles concurrent connections more efficiently than traditional IO. Its advantages are reflected in: 1) Non-blocking IO reduces thread overhead, 2) Buffer improves data transmission efficiency, 3) Selector realizes multiplexing, and 4) Memory mapping speeds up file reading and writing. Note when using: 1) The flip/clear operation of the Buffer is easy to be confused, 2) Incomplete data needs to be processed manually without blocking, 3) Selector registration must be canceled in time, 4) NIO is not suitable for all scenarios.
Exploring Different Synchronization Mechanisms in Java
Jul 04, 2025 am 02:53 AM
Javaprovidesmultiplesynchronizationtoolsforthreadsafety.1.synchronizedblocksensuremutualexclusionbylockingmethodsorspecificcodesections.2.ReentrantLockoffersadvancedcontrol,includingtryLockandfairnesspolicies.3.Conditionvariablesallowthreadstowaitfor
How Java ClassLoaders Work Internally
Jul 06, 2025 am 02:53 AM
Java's class loading mechanism is implemented through ClassLoader, and its core workflow is divided into three stages: loading, linking and initialization. During the loading phase, ClassLoader dynamically reads the bytecode of the class and creates Class objects; links include verifying the correctness of the class, allocating memory to static variables, and parsing symbol references; initialization performs static code blocks and static variable assignments. Class loading adopts the parent delegation model, and prioritizes the parent class loader to find classes, and try Bootstrap, Extension, and ApplicationClassLoader in turn to ensure that the core class library is safe and avoids duplicate loading. Developers can customize ClassLoader, such as URLClassL
