Spring Boot Security Checklist

Use Spring Security for authentication and authorization. Configure it properly -- the default configuration may be too permissive or too restrictive.

Use JPA/Hibernate with parameterized queries. Avoid `@Query` with string concatenation and native queries with user input.

Spring Security includes CSRF protection by default for server-rendered forms. Keep it enabled for session-based authentication.

Use `@Valid` and Bean Validation annotations (`@NotNull`, `@Size`, `@Pattern`) on request DTOs for input validation.

Disable Spring Boot Actuator endpoints in production or protect them with authentication. Actuator can expose sensitive internals.

Use Spring Security's password encoder (BCryptPasswordEncoder) for password hashing. Never use MD5 or SHA for passwords.

Configure CORS using `@CrossOrigin` annotations or `WebMvcConfigurer` with explicit allowed origins.

Use `spring-boot-starter-security` and configure `SecurityFilterChain` with method-level security (`@PreAuthorize`) for fine-grained access control.