Production Security Checklist for Java Applications
A practical production security checklist for Java and Spring Boot applications covering authentication, authorization, secrets, logging, headers, dependencies, monitoring, and incident readiness.
What You Will Learn
- What to review before production release.
- How to check authentication and authorization.
- How to verify secrets, logs, headers, and dependencies.
- What monitoring and incident-readiness items matter.
Introduction
Security is not one feature. It is a set of controls that work together.
Use this checklist before releasing Java applications to production.
Authentication
- Passwords are hashed with BCrypt, Argon2, or approved equivalent.
- MFA is enabled for sensitive users or admin actions.
- JWTs have expiration and strong signing keys.
- Refresh tokens are rotated and revocable.
- Login and MFA attempts are rate-limited.
Authorization
- Server-side authorization is enforced.
- Method-level security protects sensitive service methods.
- Object ownership checks are implemented.
- Admin endpoints require admin roles.
- Tests cover denied access cases.
API Protection
- CORS allows only trusted origins.
- CSRF is configured correctly for the auth model.
- Rate limiting protects sensitive APIs.
- Input validation runs at API boundaries.
- File uploads are validated and scanned.
Data Protection
- Sensitive fields are encrypted or tokenized where needed.
- Passwords are never reversible.
- PII is masked in responses and logs.
- Secrets are not committed to source control.
- Database credentials use least privilege.
Production Hardening
- HTTPS is enforced.
- Security headers are configured.
- Dependencies are scanned.
- Debug endpoints are disabled or protected.
- Actuator endpoints are restricted.
Observability
- Security events are logged safely.
- Audit logs capture sensitive actions.
- Alerts exist for repeated failures.
- Dependency and vulnerability findings are tracked.
- Incident contacts and runbooks are defined.
Release Flow
flowchart LR
A["Code complete"] --> B["Security review"]
B --> C["Automated scans"]
C --> D["Config review"]
D --> E["Production deploy"]
E --> F["Monitoring and alerts"]
Summary
This checklist helps confirm that authentication, authorization, API protection, data protection, logging, dependencies, and monitoring are ready before production release.
Learning Path Navigation
- Series home: Spring Security Learning Path
- Previous: Vulnerability Scanning with OWASP Dependency Check
- Next: Spring Security Learning Path
Comments
Share a question, correction, or practical insight about this article.
Checking login status...
Loading approved comments...