DEV Community: Nikita Blud The latest articles on DEV Community by Nikita Blud (@wouns5). https://dev.to/wouns5 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3827930%2F89e81db5-567c-403a-a1aa-6db2852c3366.png DEV Community: Nikita Blud https://dev.to/wouns5 en Explaining Basics API Security Enchancements in Spring Boot Applications Nikita Blud Tue, 17 Mar 2026 16:39:16 +0000 https://dev.to/wouns5/explaining-basics-api-security-enchancements-in-spring-boot-applications-5dcb https://dev.to/wouns5/explaining-basics-api-security-enchancements-in-spring-boot-applications-5dcb <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9s6frbp9r0smzvzerjz9.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9s6frbp9r0smzvzerjz9.jpg" alt="Explaining Basics API Security Enchancements in Spring Boot Applications" width="800" height="457"></a></p> <h2> Introduction: </h2> <p>Welcome to this article. You will learn how to enhance API security in Spring Boot applications. We will focus on preventing common vulnerabilities.</p> <h2> Requirements: </h2> <p>Before starting, ensure you have:</p> <ul> <li>Basic knowledge of Java and Spring Boot</li> <li>A Spring Boot application for testing</li> <li>An Integrated Development Environment (IDE) like IntelliJ IDEA or Eclipse</li> <li>Postman or similar tool for API testing</li> </ul> <h2> 1. Securing API Endpoints </h2> <p>Spring Security is a powerful framework. It helps to secure our Spring Boot applications. We will use it to secure our API endpoints.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">).</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Usage:</strong><br> This code secures all API endpoints under "/api". Only authenticated users can access them. To test, try accessing an API endpoint without authentication. You should receive a 401 Unauthorized response.</p> <h2> 2. Preventing Cross-Site Request Forgery (CSRF) </h2> <p>CSRF is a common vulnerability. We can prevent it using Spring Security's built-in CSRF protection.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">).</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">httpBasic</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Usage:</strong><br> This code disables CSRF protection. It is useful when our API is stateless. Stateless APIs are not vulnerable to CSRF attacks.</p> <h2> 3. Enabling CORS for Specific Domains </h2> <p>CORS is a security feature. It prevents requests from unknown domains. We can allow specific domains using Spring's CORS configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebConfig</span> <span class="kd">implements</span> <span class="nc">WebMvcConfigurer</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">addCorsMappings</span><span class="o">(</span><span class="nc">CorsRegistry</span> <span class="n">registry</span><span class="o">)</span> <span class="o">{</span> <span class="n">registry</span><span class="o">.</span><span class="na">addMapping</span><span class="o">(</span><span class="s">"/api/**"</span><span class="o">)</span> <span class="o">.</span><span class="na">allowedOrigins</span><span class="o">(</span><span class="s">"http://trusted-domain.com"</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Usage:</strong><br> This code allows CORS requests from "trusted-domain com". Other domains will receive a CORS error. Test this by making a request from a different domain.</p> <h2> Conclusion: </h2> <p>You have learned to improve API security in Spring Boot. We covered securing endpoints, preventing CSRF, and enabling CORS. Next, try applying these techniques to your own Spring Boot application.</p> api java security springboot Stop Writing Micrometer Boilerplate in Spring Boot Nikita Blud Mon, 16 Mar 2026 19:04:54 +0000 https://dev.to/wouns5/stop-writing-micrometer-boilerplate-in-spring-boot-610 https://dev.to/wouns5/stop-writing-micrometer-boilerplate-in-spring-boot-610 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faaix8s9dmvjulkuraygx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faaix8s9dmvjulkuraygx.png" alt="Annotation-driven Micrometer metrics for Spring Boot. Add @MetricGauge, @MetricCounter and dynamic SpEL tags with zero boilerplate. Open source Spring Boot starter" width="800" height="400"></a><br> If you use Micrometer in Spring Boot you know this problem.</p> <p><code>@Timed</code> works great. But the moment you need a gauge you have to write this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="nf">OrderService</span><span class="o">(</span><span class="nc">MeterRegistry</span> <span class="n">registry</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Gauge</span><span class="o">.</span><span class="na">builder</span><span class="o">(</span><span class="s">"orders.active"</span><span class="o">,</span> <span class="n">activeOrders</span><span class="o">,</span> <span class="nl">AtomicInteger:</span><span class="o">:</span><span class="n">get</span><span class="o">)</span> <span class="o">.</span><span class="na">register</span><span class="o">(</span><span class="n">registry</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>Inject <code>MeterRegistry</code>. Create a field. Write a builder. Repeat for every metric.</p> <p>So I built Metrify. Let me know what do you think</p> <h2> What it does </h2> <p>Metrify is a Spring Boot starter that adds the annotations Micrometer is missing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.wtk-ns<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>metrify-spring-boot-starter<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>0.1.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>You don't need extra configuration of additional <code>@Enable</code> annotaion<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@MetricGauge</span> <span class="n">java</span><span class="nd">@MetricGauge</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"orders.active"</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">int</span> <span class="nf">getActiveOrderCount</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">orders</span><span class="o">.</span><span class="na">size</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p>Works on fields too:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@MetricGauge</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"connections.active"</span><span class="o">)</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">AtomicInteger</span> <span class="n">connections</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AtomicInteger</span><span class="o">(</span><span class="mi">0</span><span class="o">);</span> </code></pre> </div> <p><strong>@MetricCounter</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@MetricCounter</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"orders.created"</span><span class="o">)</span> <span class="kd">public</span> <span class="nc">Order</span> <span class="nf">createOrder</span><span class="o">(</span><span class="nc">OrderRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="o">...</span> <span class="o">}</span> </code></pre> </div> <p><strong>Dynamic tags via SpEL</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@MetricCounter</span><span class="o">(</span> <span class="n">name</span> <span class="o">=</span> <span class="s">"orders.processed"</span><span class="o">,</span> <span class="n">dynamicTags</span> <span class="o">=</span> <span class="o">{</span> <span class="nd">@MetricTag</span><span class="o">(</span><span class="n">key</span> <span class="o">=</span> <span class="s">"region"</span><span class="o">,</span> <span class="n">expression</span> <span class="o">=</span> <span class="s">"#order.region"</span><span class="o">)</span> <span class="o">}</span> <span class="o">)</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">processOrder</span><span class="o">(</span><span class="nc">Order</span> <span class="n">order</span><span class="o">)</span> <span class="o">{</span> <span class="o">...</span> <span class="o">}</span> </code></pre> </div> <p><strong>@CachedGauge</strong><br> For calls you do not want running on every Prometheus scrape:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@CachedGauge</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"db.connections"</span><span class="o">,</span> <span class="n">ttl</span> <span class="o">=</span> <span class="mi">30</span><span class="o">,</span> <span class="n">ttlUnit</span> <span class="o">=</span> <span class="nc">TimeUnit</span><span class="o">.</span><span class="na">SECONDS</span><span class="o">)</span> <span class="kd">public</span> <span class="kt">int</span> <span class="nf">getConnectionCount</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="n">dataSource</span><span class="o">.</span><span class="na">getActiveConnections</span><span class="o">();</span> <span class="o">}</span> </code></pre> </div> <p><strong>Startup tag validation</strong><br> If you register the same metric name with different tag keys in two places. Micrometer silently fails. Metrify tells you at startup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>ERROR: Metric 'orders.processed' has inconsistent tag keys. OrderService -&gt; [region, tier] LegacyService -&gt; [region] </code></pre> </div> <p><strong>One thing to know about @MetricGauge on methods</strong><br> It caches the last returned value. Prometheus gets that cached value at scrape time.</p> <p>If you need a true real time gauge. Use field annotation with AtomicInteger or AtomicLong instead. That is a live reference and always reflects the current value.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkwfcd0a9u2dyylkyv53.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwkwfcd0a9u2dyylkyv53.png" alt="Metrify – annotation-driven Micrometer metrics for Spring Boot (@MetricGauge, @CachedGauge, dynamic tags)" width="800" height="400"></a></p> <h2> Why Micrometer does not have this </h2> <p>The Micrometer team decided it should stay a low level facade. Not an annotation framework. That is a fair call. But it left a gap.<br> The old metrics-spring library had <code>@Gauge</code> and more. It has not been updated since 2016 and does not work with Spring Boot 3.<br> Metrify fills that gap for modern Spring Boot.</p> <p>GitHub: <a href="https://github.com/wtk-ns/metrify-spring-boot-starter" rel="noopener noreferrer">https://github.com/wtk-ns/metrify-spring-boot-starter</a><br> Feedback and PRs are welcome.</p> micrometer spring java opensource