npm - @sun-asterisk/sunlint - Versions diffs - 1.3.39 → 1.3.40 - Mend

@sun-asterisk/sunlint 1.3.39 → 1.3.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (422) hide show

package/skill-assets/sunlint-code-quality/rules/java/S009-approved-crypto.md ADDED Viewed

@@ -0,0 +1,40 @@
+---
+title: Use Only Approved Crypto Algorithms
+impact: CRITICAL
+impactDescription: prevents the use of broken or weak cryptography that can be easily cracked
+tags: cryptography, encryption, algorithms, security, java
+---
+## Use Only Approved Crypto Algorithms
+Avoid using deprecated or weak cryptographic algorithms (like MD5, SHA1, DES, or Blowfish with small keys). These are technically broken and can be cracked in minutes by modern hardware.
+**Incorrect (weak crypto):**
+```java
+// VULNERABLE: MD5 is broken
+MessageDigest md = MessageDigest.getInstance("MD5");
+// VULNERABLE: DES is weak
+Cipher c = Cipher.getInstance("DES");
+```
+**Correct (approved crypto):**
+```java
+// SECURE: SHA-256 or SHA-512 for hashing
+MessageDigest md = MessageDigest.getInstance("SHA-256");
+// SECURE: AES-256 for symmetric encryption
+Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
+// SECURE: Argon2 or BCrypt for password hashing
+String hash = BCrypt.hashpw(password, BCrypt.gensalt());
+```
+**Recommended Algorithms:**
+- **Hashing:** SHA-256, SHA-512, SHA-3.
+- **Encryption:** AES (128-bit or 256-bit) with GCM mode.
+- **Passwords:** Argon2, BCrypt, SCrypt.
+**Tools:** SonarQube (S1311), FindSecBugs

package/skill-assets/sunlint-code-quality/rules/java/S010-csprng.md ADDED Viewed

@@ -0,0 +1,36 @@
+---
+title: Use CSPRNG For Security Purposes
+impact: HIGH
+impactDescription: prevents predictable random values that attackers can guess
+tags: randomness, csprng, security, java
+---
+## Use CSPRNG For Security Purposes
+Standard random number generators (like `java.util.Random`) are predictable and should never be used for security-sensitive operations like generating passwords, session tokens, or initialization vectors (IVs).
+**Incorrect (predictable random):**
+```java
+// DANGEROUS: Uses a linear congruential generator (LCG)
+Random rand = new Random();
+int token = rand.nextInt(1000000);
+```
+**Correct (cryptographically secure random):**
+```java
+// SECURE: Uses SecureRandom (CSPRNG)
+SecureRandom secureRand = new SecureRandom();
+byte[] tokenBytes = new byte[32];
+secureRand.nextBytes(tokenBytes);
+String token = Base64.getEncoder().encodeToString(tokenBytes);
+```
+**When to use CSPRNG:**
+- Session IDs and CSRF tokens.
+- Password reset tokens.
+- Cryptographic salts and IVs.
+- Temporary passwords/OTPs.
+**Tools:** SonarQube (S2245), FindSecBugs

package/skill-assets/sunlint-code-quality/rules/java/S011-encrypted-client-hello.md ADDED Viewed

@@ -0,0 +1,27 @@
+---
+title: Enable Encrypted Client Hello (ECH)
+impact: MEDIUM
+impactDescription: protects Server Name Indication (SNI) from eavesdropping
+tags: tls, ech, sni, privacy, security, java
+---
+## Enable Encrypted Client Hello (ECH)
+ECH encrypts the Server Name Indication (SNI) in the TLS handshake, preventing network observers from seeing which specific host you are connecting to. This is primarily a privacy feature that prevents ISP/network-level tracking.
+**About ECH:**
+ECH is managed at the system/infrastructure level (JDK 22+ or via load balancers like Cloudflare/Nginx).
+**Correct (ensuring Java client support):**
+Java 22 and above have experimental support for ECH. Ensure your runtime environment and HTTP clients are configured to use the latest TLS features.
+```java
+// For Java 22+:
+// -Djdk.tls.client.enableECH=true
+// -Djdk.tls.server.enableECH=true
+```
+**Deployment:**
+Enable ECH on your CDN (e.g., Cloudflare) or your entry-point Load Balancer.
+**Tools:** Cloudflare, Wireshark (to verify SNI encryption), JDK 22 documentation

package/skill-assets/sunlint-code-quality/rules/java/S012-secrets-management.md ADDED Viewed

@@ -0,0 +1,34 @@
+---
+title: Use Secrets Management For Backend Secrets
+impact: CRITICAL
+impactDescription: prevents exposure of sensitive credentials in source code and version control
+tags: secrets, management, vault, security, java
+---
+## Use Secrets Management For Backend Secrets
+Sensitive data like API keys, database passwords, and private certificates should never be stored in plaintext in the codebase or checked into version control. Use a dedicated secrets management tool.
+**Incorrect (secrets in source code):**
+```java
+// VULNERABLE: Hardcoded API Key
+public static final String STRIPE_SECRET = "sk_test_4eC39HqLyjWDarjtT1zdp7dc";
+```
+**Correct (external secrets management):**
+```java
+// 1. Environment Variables (Simple)
+String apiKey = System.getenv("STRIPE_SECRET_KEY");
+// 2. Spring Cloud Vault / Config (Recommended for Production)
+@Value("${my.secret.key}")
+private String secretKey;
+// 3. AWS Secrets Manager / Azure Key Vault SDK
+GetSecretValueRequest request = new GetSecretValueRequest().withSecretId("stripe/live/key");
+String secret = client.getSecretValue(request).getSecretString();
+```
+**Tools:** HashiCorp Vault, AWS Secrets Manager, Google Cloud Secret Manager, Kubernetes Secrets

package/skill-assets/sunlint-code-quality/rules/java/S013-tls-connections.md ADDED Viewed

@@ -0,0 +1,40 @@
+---
+title: Always Use TLS For All Connections
+impact: HIGH
+impactDescription: protects data in transit from eavesdropping and tampering
+tags: tls, https, encryption, transport, security, java
+---
+## Always Use TLS For All Connections
+Transmitting data over unencrypted HTTP, JDBC, or Redis connections exposes sensitive information to everyone on the network path. All connections in production must use TLS 1.2 or higher.
+**Incorrect (unencrypted connections):**
+```java
+// VULNERABLE: Using HTTP API
+HttpClient client = HttpClient.newHttpClient();
+HttpRequest request = HttpRequest.newBuilder()
+    .uri(URI.create("http://api.internal.com/data"))
+    .build();
+// VULNERABLE: Unencrypted JDBC
+String url = "jdbc:postgresql://db.server:5432/mydb";
+```
+**Correct (TLS/SSL everywhere):**
+```java
+// 1. HTTPS for all APIs
+HttpRequest request = HttpRequest.newBuilder()
+    .uri(URI.create("https://api.internal.com/data"))
+    .build();
+// 2. TLS for Database
+String url = "jdbc:postgresql://db.server:5432/mydb?ssl=true&sslmode=verify-full";
+// 3. Redis with TLS (Jedis/Lettuce)
+RedisClient client = RedisClient.create("rediss://localhost:6380"); // Note: rediss://
+```
+**Tools:** SSLyze, Qualys SSL Labs, Snyk, Manual Review

package/skill-assets/sunlint-code-quality/rules/java/S016-no-sensitive-query-string.md ADDED Viewed

@@ -0,0 +1,36 @@
+---
+title: Do Not Pass Sensitive Data In Query String
+impact: HIGH
+impactDescription: prevents sensitive data from leaking into browser history, server logs, and referrer headers
+tags: query-string, sensitive-data, transport, security, java
+---
+## Do Not Pass Sensitive Data In Query String
+URL parameters (the query string) are visible in browser history, bookmarks, proxy logs, and `Referer` headers. Sensitive data like passwords, tokens, or personal identifiers should never be part of a URL.
+**Incorrect (sensitive query strings):**
+```java
+// VULNERABLE: Token is in the URL
+GET /api/user-details?auth_token=eyJhbGciOiJIUzI1NiI...
+```
+**Correct (headers or body):**
+```java
+// SECURE: Token passed in Authorization header
+GET /api/user-details
+Authorization: Bearer eyJhbGciOiJIUzI1NiI...
+// SECURE: Data passed in POST body
+POST /api/reset-password
+Content-Type: application/json
+{ "token": "...", "newPassword": "..." }
+```
+**Always use:**
+- `POST` / `PUT` for any request containing sensitive data.
+- Standard headers like `Authorization` for tokens.
+**Tools:** OWASP ZAP, Manual Audit

package/skill-assets/sunlint-code-quality/rules/java/S017-parameterized-queries.md ADDED Viewed

@@ -0,0 +1,47 @@
+---
+title: Always Use Parameterized Queries
+impact: CRITICAL
+impactDescription: prevents SQL and NoSQL injection attacks
+tags: injection, sql, nosql, database, parameterized, security, java
+---
+## Always Use Parameterized Queries
+SQL injection is one of the most critical security vulnerabilities. Directly concatenating user input into SQL strings allows attackers to manipulate queries, bypass authentication, or steal entire databases.
+**Incorrect (string concatenation):**
+```java
+// VULNERABLE: Direct concatenation
+String userId = request.getParameter("id");
+String query = "SELECT * FROM users WHERE id = '" + userId + "'";
+Statement stmt = connection.createStatement();
+ResultSet rs = stmt.executeQuery(query);
+```
+**Correct (parameterized queries):**
+```java
+// SECURE: Using PreparedStatement
+String userId = request.getParameter("id");
+String query = "SELECT * FROM users WHERE id = ?";
+PreparedStatement pstmt = connection.prepareStatement(query);
+pstmt.setString(1, userId);
+ResultSet rs = pstmt.executeQuery();
+// Using Spring Data JPA
+@Query("SELECT u FROM User u WHERE u.id = :id")
+User findUserById(@Param("id") String id);
+// Using Hibernate Criteria
+List<User> users = session.createSelectionQuery("from User where id = :id", User.class)
+    .setParameter("id", userId)
+    .getResultList();
+```
+**Prevention Checklist:**
+- Never use `Statement.executeQuery()` with concatenated strings.
+- Always use `PreparedStatement` or a secure ORM (Hibernate, Spring Data).
+- For NoSQL (e.g., MongoDB), use the driver's query builder instead of string parsing.
+**Tools:** SonarQube (S2077, S3649), SpotBugs (FindSecBugs), Checkstyle, OWASP ZAP

package/skill-assets/sunlint-code-quality/rules/java/S019-email-input-sanitization.md ADDED Viewed

@@ -0,0 +1,32 @@
+---
+title: Sanitize Input Before Sending Emails
+impact: MEDIUM
+impactDescription: prevents email header injection and spam abuse
+tags: email, injection, sanitization, security, java
+---
+## Sanitize Input Before Sending Emails
+Email header injection occurs when user data is added to email headers (Subject, To, CC) without sanitizing newline characters. This allows attackers to add extra recipients or change the email content.
+**Incorrect (vulnerable email sending):**
+```java
+// VULNERABLE: Subject can contain \nBcc: victim@example.com
+String subject = request.getParameter("subject");
+SimpleMailMessage message = new SimpleMailMessage();
+message.setSubject(subject);
+mailSender.send(message);
+```
+**Correct (sanitization):**
+```java
+// SECURE: Remove newlines from all header fields
+String sanitizedSubject = subject.replaceAll("[\\r\\n]", "");
+SimpleMailMessage message = new SimpleMailMessage();
+message.setSubject(sanitizedSubject);
+mailSender.send(message);
+```
+**Tools:** SonarQube, Manual Review

package/skill-assets/sunlint-code-quality/rules/java/S020-eval-code-execution.md ADDED Viewed

@@ -0,0 +1,45 @@
+---
+title: Avoid Dynamic Code Execution
+impact: CRITICAL
+impactDescription: prevents arbitrary code execution vulnerabilities
+tags: injection, eval, dynamic-code, rce, security, java
+---
+## Avoid Dynamic Code Execution
+Dynamic execution of code (using `ScriptEngine`, `ClassLoader.defineClass`, or unsecured reflection) allows attackers to execute arbitrary commands if they can control the input, leading to a full system compromise.
+**Incorrect (dynamic script execution):**
+```java
+// DANGEROUS: Running JS strings from user input
+ScriptEngineManager manager = new ScriptEngineManager();
+ScriptEngine engine = manager.getEngineByName("JavaScript");
+String script = request.getParameter("formula");
+// Attacker: java.lang.Runtime.getRuntime().exec("rm -rf /")
+engine.eval(script);
+```
+**Correct (safe alternatives):**
+```java
+// 1. Use an expression language with a restricted sandbox (e.g., Spring Expression Language with validation)
+StandardEvaluationContext context = new StandardEvaluationContext(data);
+// STRICTLY validate or restrict what expressions are allowed
+// 2. Use a safe math parser for formulas
+Expression e = new ExpressionBuilder(request.getParameter("formula"))
+    .build();
+double result = e.evaluate();
+// 3. Prefer static logic
+if ("add".equals(action)) {
+    result = a + b;
+}
+```
+**Security Risks:**
+- **Remote Code Execution (RCE):** The primary risk of using `eval()` or similar dynamic executors.
+- **Resource Exhaustion:** Attackers might run heavy loops or consume memory.
+**Tools:** SonarQube (S1523), SpotBugs (FindSecBugs), Manual Review

package/skill-assets/sunlint-code-quality/rules/java/S022-context-escaping.md ADDED Viewed

@@ -0,0 +1,28 @@
+---
+title: Escape Data By Output Context
+impact: MEDIUM
+impactDescription: ensures correct encoding for each output context (HTML, JS, URL)
+tags: xss, escaping, context, security, java
+---
+## Escape Data By Output Context
+Different contexts require different escaping strategies. Using HTML encoding inside a JavaScript block or an HTML attribute does not fully prevent XSS.
+**Incorrect (wrong encoding for context):**
+```java
+// WRONG: Using forHtml in a JS block
+String name = request.getParameter("name");
+out.println("<script>var x = '" + Encode.forHtml(name) + "';</script>");
+```
+**Correct (matching encoder to context):**
+```java
+// SECURE: Use the context-specific encoder
+out.println("<script>var x = '" + Encode.forJavaScript(name) + "';</script>");
+out.println("<a href='/profile?u=" + Encode.forUriComponent(name) + "'>View</a>");
+```
+**Tools:** OWASP Java Encoder

package/skill-assets/sunlint-code-quality/rules/java/S023-dynamic-js-encoding.md ADDED Viewed

@@ -0,0 +1,28 @@
+---
+title: Output Encoding For Dynamic JS/JSON
+impact: HIGH
+impactDescription: prevents code injection in JavaScript contexts
+tags: xss, javascript, json, encoding, security, java
+---
+## Output Encoding For Dynamic JS/JSON
+When embedding user data into a JSON object that will be rendered inside a `<script>` tag, you must ensure that characters like `<` and `>` are escaped to prevent an attacker from closing the script tag and opening a new one.
+**Incorrect (direct embedding):**
+```java
+// VULNERABLE: Input </script><script>alert('xss')</script>
+String jsonData = mapper.writeValueAsString(userData);
+out.println("<script>var data = " + jsonData + ";</script>");
+```
+**Correct (properly escaped JSON):**
+```java
+// SECURE: Use Jackson features or OWASP Encoder for JS
+// Jackson can be configured to escape non-ascii characters
+out.println("<script>var data = " + Encode.forJavaScript(jsonData) + ";</script>");
+```
+**Tools:** Jackson `JsonGenerator.Feature.ESCAPE_NON_ASCII`, OWASP Java Encoder

package/skill-assets/sunlint-code-quality/rules/java/S025-server-validation.md ADDED Viewed

@@ -0,0 +1,58 @@
+---
+title: Always Validate Client Data Server-Side
+impact: CRITICAL
+impactDescription: prevents malformed data and security bypasses
+tags: validation, input, server-side, security, java
+---
+## Always Validate Client Data Server-Side
+Client-side validation (HTML attributes, JavaScript) is for user experience only. It can be easily bypassed by using tools like Postman, `curl`, or browser developer tools. All sensitive data and business logic constraints must be re-validated on the server.
+**Incorrect (trusting client input):**
+```java
+@PostMapping("/api/purchase")
+public void purchase(@RequestBody PurchaseRequest req) {
+    // VULNERABLE: Assuming price is correct from client
+    int total = req.getPrice() * req.getQuantity();
+    paymentService.charge(total);
+}
+```
+**Correct (server-side validation):**
+```java
+// 1. Use Bean Validation (JSR-380)
+public class PurchaseRequest {
+    @NotNull
+    @Min(1)
+    private Long productId;
+    @Min(1)
+    @Max(100)
+    private int quantity;
+    // Do NOT include price in request; fetch it from DB
+}
+@PostMapping("/api/purchase")
+public ResponseEntity<?> purchase(@Valid @RequestBody PurchaseRequest req) {
+    // 2. Business logic validation
+    Product product = productRepo.findById(req.getProductId())
+            .orElseThrow(() -> new ProductNotFoundException());
+    int total = product.getPrice() * req.getQuantity();
+    paymentService.charge(total);
+    return ResponseEntity.ok().build();
+}
+```
+**Validation Strategies:**
+- **Whitelisting:** Only allow known-good input.
+- **Strict Typing:** Use appropriate data types (e.g., `Long` for IDs, `BigDecimal` for currency).
+- **Constraints:** Use `@NotNull`, `@Size`, `@Pattern` (Regex) in your DTOs.
+- **Business Logic:** Validate state transitions (e.g., cannot "Cancel" an already "Shipped" order).
+**Tools:** Hibernate Validator, Spring Boot Validation, OWASP ZAP, Manual Review

package/skill-assets/sunlint-code-quality/rules/java/S026-tls-encryption.md ADDED Viewed

@@ -0,0 +1,57 @@
+---
+title: TLS Encryption For All Connections
+impact: CRITICAL
+impactDescription: protects data in transit from interception and tampering
+tags: tls, encryption, https, transport, security, java
+---
+## TLS Encryption For All Connections
+All network communications, whether between the client and server or between internal services, must be encrypted using TLS. Unencrypted connections (HTTP, raw JDBC) allow attackers to perform Man-in-the-Middle (MitM) attacks to steal sensitive data.
+**Incorrect (unencrypted connections):**
+```java
+// VULNERABLE: Using HTTP instead of HTTPS
+HttpClient client = HttpClient.newHttpClient();
+HttpRequest request = HttpRequest.newBuilder()
+    .uri(URI.create("http://api.production.sun-asterisk.vn/data"))
+    .build();
+// VULNERABLE: Unencrypted database connection
+String url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb";
+```
+**Correct (TLS everywhere):**
+```java
+// 1. HTTPS for all external API calls
+HttpRequest request = HttpRequest.newBuilder()
+    .uri(URI.create("https://api.production.sun-asterisk.vn/data"))
+    .build();
+// 2. TLS for Database connections
+String url = "jdbc:postgresql://db.sun-asterisk.vn:5432/mydb?ssl=true";
+// 3. Enabling HSTS to force browsers to use HTTPS
+// In Spring Security:
+// http.headers(headers -> headers
+//     .httpStrictTransportSecurity(hsts -> hsts
+//         .includeSubDomains(true)
+//         .maxAgeInSeconds(31536000)
+//     )
+// );
+// 4. Redirecting HTTP to HTTPS
+// http.requiresChannel(channel -> channel
+//     .anyRequest().requiresSecure()
+// );
+```
+**Requirements:**
+- All endpoints must strictly use HTTPS.
+- Plain HTTP requests must be redirected to HTTPS.
+- Use HSTS (`Strict-Transport-Security`) headers to prevent protocol downgrade attacks.
+- Ensure internal service-to-service communication is also encrypted.
+**Tools:** OWASP ZAP, SSLyze, Qualys SSL Labs, Manual Review

package/skill-assets/sunlint-code-quality/rules/java/S027-mtls-validation.md ADDED Viewed

@@ -0,0 +1,26 @@
+---
+title: Validate mTLS Certificates Before Auth
+impact: HIGH
+impactDescription: ensures that only clients with valid, trusted certificates can access the service
+tags: tls, mtls, authentication, security, java
+---
+## Validate mTLS Certificates Before Auth
+In a mutual TLS (mTLS) setup, the server must verify the client's certificate before allowing the request to proceed. This provides strong, certificate-based authentication.
+**Implementation (Spring Security):**
+```java
+// http.x509(x509 -> x509
+//     .subjectPrincipalRegex("CN=(.*?)(?:,|$)")
+//     .userDetailsService(myUserDetailsService)
+// );
+```
+**Key Points:**
+- Ensure the Truststore only contains the CAs you explicitly trust.
+- Verify expiration and revocation status of the client certificate.
+- Link the Certificate's Common Name (CN) or Subject Alternative Name (SAN) to a specific user/service identity.
+**Tools:** OpenSSL, Spring Security X.509

package/skill-assets/sunlint-code-quality/rules/java/S028-upload-limits.md ADDED Viewed

@@ -0,0 +1,35 @@
+---
+title: Limit Upload File Size And Count
+impact: MEDIUM
+impactDescription: prevents Denial of Service (DoS) attacks via disk exhaustion or memory pressure
+tags: uploads, dos, security, java
+---
+## Limit Upload File Size And Count
+Unrestricted file uploads allow an attacker to crash the server by sending massive files or thousands of small files, filling up disk space or consuming all available memory.
+**Incorrect (no limits):**
+```java
+// VULNERABLE: No limit on size
+@PostMapping("/upload")
+public void handleUpload(@RequestParam("file") MultipartFile file) {
+    file.transferTo(new File("/uploads/" + file.getOriginalFilename()));
+}
+```
+**Correct (configured limits):**
+```java
+// 1. Spring Boot Configuration (application.properties)
+// spring.servlet.multipart.max-file-size=2MB
+// spring.servlet.multipart.max-request-size=10MB
+// 2. Manual check
+if (file.getSize() > 2 * 1024 * 1024) {
+    throw new BadRequestException("File too large");
+}
+```
+**Tools:** Spring Boot Multipart Properties, OWASP ZAP

package/skill-assets/sunlint-code-quality/rules/java/S029-csrf-protection.md ADDED Viewed

@@ -0,0 +1,35 @@
+---
+title: Apply CSRF Protection
+impact: HIGH
+impactDescription: prevents Cross-Site Request Forgery attacks that could execute actions on behalf of the user
+tags: csrf, security, java
+---
+## Apply CSRF Protection
+CSRF attacks trick a logged-in user into sending a request to your application (e.g., via a hidden form on a malicious site). If the application relies only on cookies for authentication, the browser will include them, and the attack will succeed.
+**Incorrect (no CSRF protection):**
+```java
+// VULNERABLE: Spring Security disabled CSRF
+http.csrf(csrf -> csrf.disable());
+```
+**Correct (enabled and configured CSRF):**
+```java
+// 1. Spring Security (Enabled by default)
+// For SPAs (Stateless/JWT):
+// http.csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()));
+// 2. In Thymeleaf forms (automatic token insertion):
+// <form th:action="@{/logout}" method="post">
+```
+**Defense Strategies:**
+- **Synchronizer Token Pattern:** Include a random token in every state-changing request (POST, PUT, DELETE).
+- **SameSite Cookie Attribute:** Set `SameSite=Lax` or `Strict`.
+- **Custom Headers:** For AJAX requests, require a custom header (e.g., `X-Requested-With`) which cannot be added cross-site without CORS permission.
+**Tools:** Spring Security, OWASP ZAP

package/skill-assets/sunlint-code-quality/rules/java/S030-directory-browsing.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: Disable Directory Browsing
+impact: MEDIUM
+impactDescription: prevents attackers from seeing the directory structure and identifying sensitive files
+tags: configuration, server, directory-browsing, security, java
+---
+## Disable Directory Browsing
+If directory browsing is enabled, an attacker visiting a folder without an `index.html` file can see all files in that directory. This often leads to the discovery of sensitive configuration files, source code backups, or uploaded data.
+**How to Disable:**
+**1. In Embedded Tomcat (Spring Boot):**
+It is disabled by default. Do not change the `server.tomcat.basedir` to a public-facing path without index files.
+**2. In Standard `web.xml` (Legacy):**
+```xml
+<servlet>
+    <servlet-name>default</servlet-name>
+    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
+    <init-param>
+        <param-name>listings</param-name>
+        <param-value>false</param-value> <!-- SECURE: Set to false -->
+    </init-param>
+</servlet>
+```
+**3. Using Spring Security:**
+```java
+// Prevent direct access to static resource directories
+http.authorizeHttpRequests(auth -> auth
+    .requestMatchers("/static/**").permitAll()
+    .requestMatchers("/config/**").denyAll()
+);
+```
+**Tools:** OWASP ZAP, Manual Review