Overview Java 25 ships two important security additions: JEP 510 — Key Derivation Function (KDF) API — Final. A standard API for HKDF, PBKDF2, and other KDFs. JEP 470 — PEM Encodings of Cryptographic Objects — Preview. Read and write .pem files without third-party libraries. These fill two long-standing gaps: Java had the underlying crypto but no clean standard API for key derivation and PEM I/O. Part 1: Key Derivation Function API (JEP 510) What Is Key Derivation?

Finalized in Java 17 (JEP 415). Extends JEP 290 (Java 9), which introduced the basic deserialization filter API. Why Deserialization Is Dangerous Java object deserialization (ObjectInputStream.readObject()) is one of the most exploited attack surfaces in Java. When a Java application deserializes untrusted bytes, the JVM instantiates arbitrary classes and calls their methods as a side effect — before your application code even sees the result. Attackers craft gadget chains: sequences of serializable classes in common libraries (Apache Commons Collections, Spring Framework, etc.

What Is CORS? The Same-Origin Policy (SOP) is a browser security rule: JavaScript on app.example.com cannot read responses from api.example.com — different subdomain, different origin. Without this, any website could use a visitor’s authenticated session to silently call other sites on their behalf. CORS (Cross-Origin Resource Sharing) is the mechanism by which a server explicitly relaxes SOP for trusted origins. When a browser sees a cross-origin request, it checks whether the server has granted permission before allowing JavaScript to read the response.

What Is a CSRF Attack? Cross-Site Request Forgery (CSRF) tricks an authenticated user’s browser into making an unintended request to your application. The attack: Alice is logged into bank.com — her browser holds a valid session cookie Alice visits evil.com evil.com contains <img src="https://bank.com/transfer?to=attacker&amount=5000"> Alice’s browser fires the request, automatically attaching her bank.com session cookie bank.com receives an authenticated request that Alice never intended to make The attack works because browsers automatically send cookies with cross-origin requests.

Security Improvements Across Java 9–11 JEP Release Feature JEP 287 Java 9 SHA-3 hash algorithms JEP 273 Java 9 DRBG-based SecureRandom JEP 288 Java 9 Disable SHA-1 certificates JEP 324 Java 11 Key Agreement with Curve25519 and Curve448 JEP 329 Java 11 ChaCha20 and Poly1305 cryptographic algorithms JEP 332 Java 11 Transport Layer Security (TLS) 1.3 JEP 181 Java 11 Nest-Based Access Control TLS 1.3 (JEP 332) TLS 1.3 is the current version of the Transport Layer Security protocol, finalised in RFC 8446 (August 2018).

The OWASP Top 10 lists the most critical web application security risks. Spring Boot apps have their own common failure patterns: exposed Actuator endpoints, secrets in properties files, SQL built from string concatenation, and Spring Security misconfiguration. This guide covers the vulnerabilities that actually appear in Spring Boot applications and how to fix each one. 1. SQL Injection SQL injection remains one of the most critical vulnerabilities. It allows attackers to manipulate database queries.

Zero-trust API security means every request is validated independently — no session state, no “trusted network” assumptions. A JWT bearer token is issued by an authorisation server, signed cryptographically, and validated on every API call. The API never calls back to the authorisation server during validation; it verifies the token’s signature locally. This guide covers the complete setup: dependencies, resource server configuration, token validation (both symmetric and asymmetric), extracting claims, role-based access control, method-level security, and the Spring Security 7 changes that break existing setups.

Tools like ESLint, Semgrep, and Bandit catch what they are programmed to find: known patterns, common injection strings, deprecated API calls. They are fast, reliable, and deterministic. They are also blind to anything that requires understanding what your code is supposed to do. Claude Code operates differently. It reads code the way a human security researcher would — tracing data flows across files, understanding business logic, and reasoning about what could go wrong given the specific context of your application.