Skip to content

Security

Bootstrap skills prioritize a runnable structure. Security hardening is intentional follow-on work. Use this guide when extending generated applications.

  • Do not expose sensitive Actuator or admin endpoints by default
  • Validate and sanitize untrusted input at API boundaries
  • Avoid embedding secrets in source or example configs
  • Prefer least-privilege dependencies and keep versions current
  • Document authentication/authorization as explicit follow-up when not generated
Add centralized exception handling that does not leak stack traces to clients.
Add authentication and authorization appropriate for a public REST API.
Document the threat model assumptions in README.