HighFile-scopeJava Plug & play

Enforce HTTPS, HSTS, and session policy

Use Spring Security to require HTTPS, enable HSTS, set session fixation protection, and configure SameSite, Secure, HttpOnly cookies.

Add to Mesrai Open workspace

Why this matters

Aligns with SOC 2 encryption and session security.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

@Bean SecurityFilterChain f(HttpSecurity http) throws Exception { return http.build(); }

Prefer

@Bean SecurityFilterChain f(HttpSecurity http) throws Exception { http.requiresChannel(c->c.anyRequest().requiresSecure()).headers(h->h.httpStrictTransportSecurity().includeSubDomains(true).maxAgeInSeconds(31536000)); return http.build(); }

More snippets

Good

http.requiresChannel(c->c.anyRequest().requiresSecure())

Bad

http.requiresChannel(c->c.anyRequest().requiresInsecure())

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Enforce TLS 1.2+ and HSTS on all external endpoints
Public services must require TLSv1.2 or higher and set HSTS (max-age ≥ 15552000, includeSubDomains). Reject plaintext HTTP and weak ciphers; cookies must be Secure and HttpOnly with SameSite set.
compliance-soc2-essentialssecurity-hardening+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Enforce TLS 1.2+ and HSTS on all external endpoints

Use a secrets manager and 90-day rotation policy