FREE checks focus on baseline production readiness and hygiene. They are safe to run in all environments and do not require a license.
Default Severity: ERROR
Tier: FREE
Root or global logging level is set to a verbose level (e.g. DEBUG/TRACE) in a production-like run.
Verbose logging in production can degrade performance and may leak sensitive data.
logging.level.root=INFO
logging.level.com.myapp=DEBUG
Default Severity: WARN
Tier: FREE
Detects if SQL logging is enabled in production.
SQL logging can produce very large logs and may reveal sensitive query details.
spring.jpa.show-sql=false
spring.jpa.properties.hibernate.format_sql=false
Default Severity: ERROR
Tier: FREE
Application returns stack traces in HTTP error responses.
Stack traces leak implementation details.
server.error.include-stacktrace=never
Default Severity: WARN
Tier: FREE
Actuator endpoints are exposed with permissive defaults.
Unrestricted actuator endpoints may leak sensitive runtime information.
management.endpoints.web.exposure.include=health,info
management.endpoint.health.show-details=never
Default Severity: ERROR
Tier: FREE
TLS/HTTPS is not configured or insecure TLS settings are detected.
Unencrypted traffic exposes credentials and data in transit.
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=secret
server.port=8443
Default Severity: WARN
Tier: FREE
Detects missing common security headers infrastructure.
Missing headers make the app more vulnerable to clickjacking, MIME sniffing, and referrer leakage.
Configure strict security headers in framework or proxy.
Default Severity: WARN
Tier: FREE
CSRF protection is disabled globally or for endpoints that should be protected.
CSRF vulnerabilities allow attackers to execute actions on behalf of authenticated users.
Enable CSRF or explicitly document safe exceptions.
Default Severity: WARN
Tier: FREE
JVM maximum heap size not tuned in production.
Can cause OOM or poor GC behavior.
JAVA_OPTS="-Xms512m -Xmx2g -XX:+UseG1GC"
Default Severity: WARN
Tier: FREE
Connection pool size not explicitly configured.
Defaults may not fit workload.
spring.datasource.hikari.maximum-pool-size=20
Default Severity: WARN
Tier: FREE
No configured HTTP request timeout.
Stuck requests exhaust resources.
spring.mvc.async.request-timeout=30s
server.connection-timeout=30s
Default Severity: WARN
Tier: FREE
spring.jpa.open-in-view is enabled.
Masks inefficient queries.
spring.jpa.open-in-view=false
Default Severity: WARN
Tier: FREE
Graceful shutdown is disabled.
In-flight requests terminated abruptly.
server.shutdown=graceful
spring.lifecycle.timeout-per-shutdown-phase=30s
Category: Web / Security
Default Severity: WARN
Tier: FREE
CORS policy is overly permissive.
Enables cross-origin attacks.
Restrict origins, methods, and headers.
PREMIUM checks validate effective runtime behavior by performing real HTTP/HTTPS requests against the running application.
They account for filters, reverse proxies, and load balancers.
These checks require a valid license.
Severity: ERROR
Tier: PREMIUM
Validates the effective HTTP security headers returned by the application at runtime.
Missing headers expose users to browser-based attacks.
Ensure security headers are effectively applied at runtime.
Severity: ERROR
Tier: PREMIUM
Verifies that HTTP traffic is redirected to HTTPS or explicitly rejected.
Allowing HTTP exposes credentials and sessions.
Enforce HTTPS via application or infrastructure.
Severity: ERROR
Tier: PREMIUM
Validates the Strict-Transport-Security header returned at runtime.
Without HSTS, browsers may downgrade connections.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Severity: ERROR
Tier: PREMIUM
Validates the effective Content-Security-Policy header.
Weak CSP allows XSS and script injection attacks.
Define a strict CSP without unsafe directives.
Severity: ERROR
Tier: PREMIUM
Inspects cookies returned at runtime for Secure, HttpOnly, and SameSite flags.
Weak cookie flags enable session hijacking.
Configure secure cookie attributes.
Severity: ERROR
Tier: PREMIUM
Validates iframe protection via X-Frame-Options or CSP frame-ancestors.
Clickjacking can trick users into unintended actions.
Deny framing or define strict frame-ancestors.
Severity: WARN
Tier: PREMIUM
Validates the effective Referrer-Policy header.
Weak policies may leak sensitive URLs.
Set a restrictive referrer policy.
Severity: WARN
Tier: PREMIUM
Validates the Permissions-Policy header at runtime.
Permissive policies allow unintended browser feature access.
Explicitly restrict unused browser features.
Severity: WARN
Tier: PREMIUM
Validates the Cross-Origin-Opener-Policy header.
Weak COOP enables XS-Leaks and side-channel attacks.
Cross-Origin-Opener-Policy: same-origin
Severity: WARN
Tier: PREMIUM
Detects version strings in the Server header (e.g. Apache/2.4.51, nginx/1.25, Tomcat/10.1) and flags the presence of X-Powered-By unconditionally, regardless of its value.
Exposing server software versions gives attackers precise information to search for known CVEs targeting your exact stack. Even without a version, X-Powered-By unnecessarily reveals the underlying technology.
Set server.server-header to an empty value in your application configuration to suppress the Server header. Disable X-Powered-By by configuring Spring Security headers or removing it at the reverse proxy level.
Severity: ERROR
Tier: PREMIUM
Sends requests to /actuator/env, /actuator/heapdump, /actuator/shutdown, /actuator/beans and /actuator/mappings. Any endpoint returning HTTP 200 without authentication is reported.
Exposed Actuator endpoints can leak environment variables including secrets, allow full heap memory dumps, reveal internal bean wiring, or enable remote shutdown of the application.
Restrict the exposed endpoints to only health and info via management.endpoints.web.exposure.include. Protect the actuator path with Spring Security requiring an ADMIN role, or move the management port to an internal-only network interface using management.server.port.
Severity: ERROR
Tier: PREMIUM
Verifies that the TLS certificate served by the application is not expired or about to expire.
This check performs a real TLS handshake against the running application and inspects the server certificate’s expiry date.
Inspects the X.509 certificate presented during the TLS handshake. Raises a warning when expiry is within 30 days and an error when within 7 days or already expired.
An expired certificate causes all browsers and HTTP clients to reject the connection entirely, resulting in a complete production outage. Certificate expiry is one of the most preventable yet common causes of downtime.
Renew the certificate before it expires. For Let’s Encrypt, configure automatic renewal via certbot renew. For embedded keystores, replace the keystore.p12 file with the renewed certificate and restart the application. ProdGuard emits a WARN 30 days before expiry giving enough lead time to act before it escalates to ERROR.