124-java-secure-coding
npx machina-cli add skill jabrena/cursor-rules-java/124-java-secure-coding --openclawJava Secure coding guidelines
Identify and apply Java secure coding practices to reduce vulnerabilities, protect sensitive data, and harden application behaviour against common attack vectors.
Core areas: Input validation with type, length, format, and range checks; SQL/OS/LDAP injection defence via PreparedStatement and parameterized APIs; attack surface minimisation through least-privilege permissions and removal of unused features; strong cryptographic algorithms for hashing (passwords with BCrypt/Argon2), encryption (AES-GCM), and digital signatures while avoiding deprecated ciphers (MD5, SHA-1, DES); secure exception handling that logs diagnostic details internally while exposing only generic messages to clients; secrets management by loading credentials from environment variables or secret managers — never hardcoded; safe deserialization with strict allow-lists and preference for explicit DTOs over native Java serialization; output encoding to prevent XSS in rendered content.
Prerequisites: Run ./mvnw compile before applying any changes. If compilation fails, stop immediately — do not proceed until the project is in a valid state.
Multi-step scope: Step 1 validates the project compiles. Step 2 categorizes security issues by severity (CRITICAL, HIGH, MEDIUM, LOW) and area (input validation, injection, cryptography, secrets, serialization, XSS, exception handling). Step 3 adds comprehensive input validation — type, length, format, and range — to all entry points handling untrusted data. Step 4 replaces string-concatenated queries with PreparedStatement or ORM parameterized equivalents to eliminate injection vectors. Step 5 audits permissions and exposed surfaces to enforce least-privilege and remove unused endpoints, libraries, and accounts. Step 6 replaces weak or deprecated cryptographic algorithms with current standards (AES-GCM, BCrypt/Argon2, SHA-256+). Step 7 sanitizes exception messages and error responses so no stack traces or internal details reach clients; aligns logging to record full diagnostics internally. Step 8 removes hardcoded secrets and replaces them with runtime secret sources (env vars, Vault, cloud secret managers). Step 9 removes or replaces unsafe Java native deserialization with JSON/XML DTO binding; adds type allow-lists where deserialization is unavoidable. Step 10 adds output encoding at all render points to prevent XSS. Step 11 runs ./mvnw clean verify to confirm all tests pass after changes.
Before applying changes: Read the reference for detailed good/bad examples, constraints, and safeguards for each secure coding pattern.
Reference
For detailed guidance, examples, and constraints, see references/124-java-secure-coding.md.
Source
git clone https://github.com/jabrena/cursor-rules-java/blob/main/skills/124-java-secure-coding/SKILL.mdView on GitHub Overview
Provides a structured approach to applying Java secure coding practices to reduce vulnerabilities, protect sensitive data, and harden application behavior. It covers input validation, injection defenses via parameterized APIs, least-privilege design, modern cryptography, secure exception handling, runtime secrets management, safe deserialization, and output encoding to prevent XSS.
How This Skill Works
The skill guides you through a multi-step process: ensure the project compiles, categorize security issues by severity and area, and implement concrete safeguards. It emphasizes replacing unsafe patterns with secure equivalents (e.g., parameterized queries, strict allow-lists for deserialization, and runtime secret sourcing) and aligning error handling and logging to avoid leaking sensitive details.
When to Use It
- When validating untrusted inputs from UI or APIs to enforce type, length, format, and range checks
- When defending against SQL/OS/LDAP injection by using PreparedStatement and parameterized APIs
- When enforcing least-privilege and removing unused endpoints, libraries, and accounts
- When implementing modern cryptography for passwords, encryption, and signatures
- When handling exceptions securely and encoding outputs to prevent XSS and avoid exposing internal details
Quick Start
- Step 1: Run ./mvnw compile and fix any compile-time issues before changes
- Step 2: Add strict input validation (type, length, format, range) at all entry points handling untrusted data
- Step 3: Replace concatenated queries with PreparedStatement/parameterized APIs and switch to runtime secret sources; enable output encoding and secure error handling
Best Practices
- Validate input with type, length, format, and range checks
- Use parameterized queries (PreparedStatement) to prevent injections
- Enforce least-privilege permissions and remove unused surfaces
- Adopt current cryptography (AES-GCM, BCrypt/Argon2, SHA-256+) and avoid deprecated ciphers
- Sanitize and secure exception messages, log diagnostics internally, and avoid leaking stack traces
Example Use Cases
- Validate and sanitize HTTP request parameters at the controller or service layer
- Refactor data access to use PreparedStatement or ORM with bound parameters
- Load credentials from environment variables or secret managers instead of hardcoding
- Migrate password storage to BCrypt/Argon2 and enable AES-GCM for data encryption
- Add output encoding in templates or renderers to prevent XSS
