Sentinel
Security Lab
Backend study project in Spring Boot 3. Register a local API, run read-only HTTP checks, and get findings with severity levels and a risk score — built to practice security while developing your own services.
Request flow
Bearer JWT on every call. WebClient runs checks with caps and timeouts — read-only, no exploitation.
7 Security Check Types
Pick which checks to run per scan, or trigger all seven at once with POST /api/scans/full/{targetId}.
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Server disclosure.
Wildcard origin, reflected arbitrary origin, null origin acceptance.
Public docs endpoints and Spring Boot Actuator exposure (/actuator/env, /actuator/mappings).
alg=none acceptance, expired token accepted, endpoints accessible without auth.
No HTTP 429 after repeated requests, missing rate-limit headers.
Stack traces in error bodies, DB error messages, internal filesystem paths.
Common paths that respond 200 without a token (/api/admin, /h2-console, /graphql).
Security Headers
1/7HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Server disclosure.
Application Structure
auth · target · scan · reports — PostgreSQL persists targets, jobs, and findings.
auth
Register and login. Bearer token for all scan and target operations.
target
Register a local API as scan target. Only private/local IPs allowed — public URLs rejected.
scan
POST /api/scans returns 202. Scanners run in a bounded pool (2 core / 5 max); poll for status.
reports
Findings grouped by severity with risk score. Generate and fetch structured reports.
Observability stack
Docker Compose brings PostgreSQL, Redis, Prometheus, and Grafana. Metrics at :9090, dashboards at :3000 — same pattern as other backend projects in the portfolio.
Core Ideas
Read-only by design
Not an attack tool — HTTP checks with timeouts to catch misconfigurations in APIs you own while developing.
Async scan jobs
Immediate 202 response; status flows PENDING → RUNNING → COMPLETED. Dashboard aggregates severity and risk score.
JWT analysis endpoint
Decode tokens without needing the secret — useful when reviewing auth behavior during development.
Tech Stack
Engineering Notes
Local targets only
localhost, 127.x, 10.x, 192.168.x and 172.16–31.x are accepted. Public IPs are rejected at registration.
WebClient for outbound scans
Reactor Netty keeps I/O non-blocking while running multiple check types against the registered target.
Study project, honest scope
Built to practice API security concepts in Spring Boot — findings are educational, not a commercial scanner.