• v2.4.2-dev fc962f57c8

    FTMahringer released this 2026-05-12 01:24:34 +02:00 | 115 commits to main since this release

    v2.4.2-dev - API Security (Security Hardening Step)

    Changes

    CORS Configuration

    • New WebConfig.java implements WebMvcConfigurer with configurable allowed origins
    • Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
    • Headers: Authorization, Content-Type, X-Correlation-ID, X-XSRF-TOKEN
    • Allows credentials, max age 3600s

    Security Headers

    • Added security headers filter in SecurityConfig.java
    • Headers: X-Content-Type-Options, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, Permissions-Policy

    Rate Limiting

    • New RateLimitingFilter.java - Caffeine-backed concurrent rate limiter
    • Configurable requests-per-minute (default 60) and login-requests-per-minute (default 10)
    • Excludes actuator, health, static resources
    • Returns 429 with Retry-After header
    • Uses IP / X-Forwarded-For as key

    Brute-Force Protection

    • Added to AuthenticationService.java - concurrent map tracking failed attempts with TTL
    • After 5 failed attempts (configurable), account locks for 15 minutes (configurable)
    • Logs lockout events; resets on successful login

    Configuration

    • Added rate-limiting and cors properties to application.yml

    Dependencies

    • Added Caffeine for rate-limiting cache
    Downloads