FREE checks focus on baseline production readiness and hygiene. They are safe to run in all environments and do not require a license.
Category: Logging / Observability
Default Severity: ERROR
Tier: FREE
Root or global logging level is set to a verbose level (e.g. DEBUG/TRACE) in a production-like run.
Verbose logging in production can degrade performance and may leak sensitive data.
logging.level.root=INFO
logging.level.com.myapp=DEBUG
Category: Persistence / Observability
Default Severity: WARN
Tier: FREE
Detects if SQL logging is enabled in production.
SQL logging can produce very large logs and may reveal sensitive query details.
spring.jpa.show-sql=false
spring.jpa.properties.hibernate.format_sql=false
Category: Security / Web
Default Severity: ERROR
Tier: FREE
Application returns stack traces in HTTP error responses.
Stack traces leak implementation details.
server.error.include-stacktrace=never
Category: Observability / Security
Default Severity: WARN
Tier: FREE
Actuator endpoints are exposed with permissive defaults.
Unrestricted actuator endpoints may leak sensitive runtime information.
management.endpoints.web.exposure.include=health,info
management.endpoint.health.show-details=never
Category: Security
Default Severity: ERROR
Tier: FREE
TLS/HTTPS is not configured or insecure TLS settings are detected.
Unencrypted traffic exposes credentials and data in transit.
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=secret
server.port=8443
Category: Security / HTTP
Default Severity: WARN
Tier: FREE
Detects missing common security headers infrastructure.
Missing headers make the app more vulnerable to clickjacking, MIME sniffing, and referrer leakage.
Configure strict security headers in framework or proxy.
Category: Security / Web
Default Severity: WARN
Tier: FREE
CSRF protection is disabled globally or for endpoints that should be protected.
CSRF vulnerabilities allow attackers to execute actions on behalf of authenticated users.
Enable CSRF or explicitly document safe exceptions.
Category: Runtime / JVM
Default Severity: WARN
Tier: FREE
JVM maximum heap size not tuned in production.
Can cause OOM or poor GC behavior.
JAVA_OPTS="-Xms512m -Xmx2g -XX:+UseG1GC"
Category: Persistence / Database
Default Severity: WARN
Tier: FREE
Connection pool size not explicitly configured.
Defaults may not fit workload.
spring.datasource.hikari.maximum-pool-size=20
Category: Web / Performance
Default Severity: WARN
Tier: FREE
No configured HTTP request timeout.
Stuck requests exhaust resources.
spring.mvc.async.request-timeout=30s
server.connection-timeout=30s
Category: Persistence
Default Severity: WARN
Tier: FREE
spring.jpa.open-in-view is enabled.
Masks inefficient queries.
spring.jpa.open-in-view=false
Category: Runtime / Lifecycle
Default Severity: WARN
Tier: FREE
Graceful shutdown is disabled.
In-flight requests terminated abruptly.
server.shutdown=graceful
spring.lifecycle.timeout-per-shutdown-phase=30s
Category: Web / Security
Default Severity: WARN
Tier: FREE
CORS policy is overly permissive.
Enables cross-origin attacks.
Restrict origins, methods, and headers.
PREMIUM checks validate effective runtime behavior by performing real HTTP/HTTPS requests against the running application.
They account for filters, reverse proxies, and load balancers.
These checks require a valid license.
Severity: ERROR
Tier: PREMIUM
Validates the effective HTTP security headers returned by the application at runtime.
Missing headers expose users to browser-based attacks.
Ensure security headers are effectively applied at runtime.
Severity: ERROR
Tier: PREMIUM
Verifies that HTTP traffic is redirected to HTTPS or explicitly rejected.
Allowing HTTP exposes credentials and sessions.
Enforce HTTPS via application or infrastructure.
Severity: ERROR
Tier: PREMIUM
Validates the Strict-Transport-Security header returned at runtime.
Without HSTS, browsers may downgrade connections.
Strict-Transport-Security: max-age=31536000; includeSubDomains
Severity: ERROR
Tier: PREMIUM
Validates the effective Content-Security-Policy header.
Weak CSP allows XSS and script injection attacks.
Define a strict CSP without unsafe directives.
Severity: ERROR
Tier: PREMIUM
Inspects cookies returned at runtime for Secure, HttpOnly, and SameSite flags.
Weak cookie flags enable session hijacking.
Configure secure cookie attributes.
Severity: ERROR
Tier: PREMIUM
Validates iframe protection via X-Frame-Options or CSP frame-ancestors.
Clickjacking can trick users into unintended actions.
Deny framing or define strict frame-ancestors.
Severity: WARN
Tier: PREMIUM
Validates the effective Referrer-Policy header.
Weak policies may leak sensitive URLs.
Set a restrictive referrer policy.
Severity: WARN
Tier: PREMIUM
Validates the Permissions-Policy header at runtime.
Permissive policies allow unintended browser feature access.
Explicitly restrict unused browser features.
Severity: WARN
Tier: PREMIUM
Validates the Cross-Origin-Opener-Policy header.
Weak COOP enables XS-Leaks and side-channel attacks.
Cross-Origin-Opener-Policy: same-origin