界: Security Features
軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。
Spring Boot Misconfiguration: DevTools Enabled
Abstract
Spring Boot 應用程式是在開發人員模式下設定的。
Explanation
Spring Boot 應用程式已啟用 DevTool。DevTools 包含一組額外的工具,可使應用程式開發體驗更加愉悅,但不建議在生產環境中的應用程式上使用 DevTool。如官方 Spring Boot 說明文件中所述:「在遠端應用程式上啟用
spring-boot-devtools 存在安全風險。請勿在生產部署中啟用支援。」References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[11] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.spring_boot_misconfiguration_devtools_enabled