tessl-labs/springboot-security-basics
Security defaults that belong in every Spring Boot application from day one.
88
1.79x
Quality
83%
Does it follow best practices?
Impact
97%
1.79xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
csrf-handling.jsonverifiers/
{
"instruction": "Handle CSRF correctly based on session strategy",
"relevant_when": "Agent creates or modifies a Spring Boot application with Spring Security",
"context": "CSRF protection is enabled by default in Spring Security. For stateless APIs using JWT or token-based auth with SessionCreationPolicy.STATELESS, CSRF should be disabled. For session-based apps using cookies, CSRF must remain enabled with CookieCsrfTokenRepository so the frontend can read and send the CSRF token. Never disable CSRF on a session-based app.",
"sources": [
{
"type": "file",
"filename": "skills/springboot-security-basics/SKILL.md",
"tile": "tessl-labs/springboot-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "csrf-disabled-for-stateless",
"rule": "Agent disables CSRF when the app uses SessionCreationPolicy.STATELESS with JWT or token-based authentication",
"relevant_when": "Agent creates a stateless REST API with Spring Security"
},
{
"name": "csrf-enabled-for-sessions",
"rule": "Agent keeps CSRF enabled with CookieCsrfTokenRepository when the app uses sessions and cookies",
"relevant_when": "Agent creates a session-based Spring Boot application"
},
{
"name": "csrf-lambda-dsl",
"rule": "Agent uses lambda DSL csrf(csrf -> csrf.disable()) not deprecated .csrf().disable()",
"relevant_when": "Agent configures CSRF in Spring Security"
}
]
}evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
skills
springboot-security-basics
verifiers