Security
Bootstrap skills prioritize a runnable structure. Security hardening is intentional follow-on work. Use this guide when extending generated applications.
Baseline practices
Section titled “Baseline practices”- Do not expose sensitive Actuator or admin endpoints by default
- Validate and sanitize untrusted input at API boundaries
- Avoid embedding secrets in source or example configs
- Prefer least-privilege dependencies and keep versions current
- Document authentication/authorization as explicit follow-up when not generated
Prompt patterns
Section titled “Prompt patterns”Add centralized exception handling that does not leak stack traces to clients.Add authentication and authorization appropriate for a public REST API.Document the threat model assumptions in README.Related material
Section titled “Related material”- Framework pages under
/languages/java/frameworks/ - Future dedicated security skills on the roadmap