-
v2.4.2-dev - API Security Pre-release
released this
2026-05-12 01:24:34 +02:00 | 115 commits to main since this releasev2.4.2-dev - API Security (Security Hardening Step)
Changes
CORS Configuration
- New WebConfig.java implements WebMvcConfigurer with configurable allowed origins
- Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
- Headers: Authorization, Content-Type, X-Correlation-ID, X-XSRF-TOKEN
- Allows credentials, max age 3600s
Security Headers
- Added security headers filter in SecurityConfig.java
- Headers: X-Content-Type-Options, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, Permissions-Policy
Rate Limiting
- New RateLimitingFilter.java - Caffeine-backed concurrent rate limiter
- Configurable requests-per-minute (default 60) and login-requests-per-minute (default 10)
- Excludes actuator, health, static resources
- Returns 429 with Retry-After header
- Uses IP / X-Forwarded-For as key
Brute-Force Protection
- Added to AuthenticationService.java - concurrent map tracking failed attempts with TTL
- After 5 failed attempts (configurable), account locks for 15 minutes (configurable)
- Logs lockout events; resets on successful login
Configuration
- Added rate-limiting and cors properties to application.yml
Dependencies
- Added Caffeine for rate-limiting cache
Downloads
-
Source code (ZIP)
0 downloads
-
Source code (TAR.GZ)
0 downloads