DEV Community

Cover image for How do I secure this Spring Boot + Thymeleaf + Vue.js app?
Bruno Drugowick
Bruno Drugowick

Posted on

How do I secure this Spring Boot + Thymeleaf + Vue.js app?

I have this app:

And I'm wondering how do I properly secure it? The app has:

  • Server-rendered pages with Thymeleaf.
  • An API providing data for the pages.

What's the proper way to secure and its underlying limitations considering this architecture?

Some questions that pop on my mind, to help you understand why I'm asking:

  • Can I go with Spring Security defaults (adding csrf token on my forms that POST/PUT with Vue.js)?
  • How do I integrate this with my DELETE via API, for example?
  • Should I disable csrf?
  • Does this architecture makes sense? What are the caveats?


Cover image from Christoph Scholz.

Top comments (2)

sunitk profile image
Sunit Katkar

Take a look at

brunodrugowick profile image
Bruno Drugowick

Thanks, Sunit.

Keycloak is an Identity and Access Management by itself. In this case should I ditch Spring Security (or maybe configure to integrate with Keycloak)?

How does this works on the Vue.js side running on a server-rendered page?

I'm interested more in the architectural aspects and its implications on both the development and operation of the solution rather than just making it work, understand?