fix: remediate 8 security vulnerabilities (CSRF, amount bypass, @Transactional, input validation, headers, dependency CVE)

[devin-ai-integration]

Summary

Implements targeted fixes for 8 confirmed/likely security vulnerabilities identified during security audit. All fixes are minimal, scoped, and verified to not break existing tests.

Findings Remediated

#	ID	Severity	Fix Description	Build	Tests	Regressions	Status
1	C1	Critical	Re-enable CSRF protection, update all forms to use th:action, convert logout to POST	pass	pass	no	remediated
2	C2	Critical	Add amount > 0 validation in deposit/withdraw/transfer	pass	pass	no	remediated
3	C3	High	Add @Transactional to deposit/withdraw/transfer methods	pass	pass	no	remediated
4	C4	Medium	Add username (≥3 chars) and password (≥8 chars) validation on registration	pass	pass	no	remediated
5	C6	Medium	Replace "Username already exists" with generic error message	pass	pass	no	remediated
6	C8	Medium	Update mysql-connector-java 8.0.33 → mysql-connector-j 9.1.0	pass	pass	no	remediated
7	C10	Low	Add Content-Type-Options and HSTS security headers	pass	pass	no	remediated
8	Build	Config	Fix maven-compiler-plugin source/target from 1.8 → 17	pass	pass	no	remediated

Files Changed

• SecurityConfig.java — Removed csrf.disable(), added HSTS + content-type headers, changed logout to POST-only
• AccountService.java — Added @Transactional, positive amount validation, input length validation, generic registration error
• pom.xml — Updated mysql-connector groupId/version, fixed compiler source/target to 17, added H2 test dependency
• login.html — Changed form action to th:action=\"@{/login}\"
• register.html — Changed form action to th:action=\"@{/register}\", display dynamic error message
• dashboard.html — Changed all form actions to th:action, converted logout link to POST form
• transactions.html — Converted logout link to POST form
• src/test/resources/application.properties — Added H2 in-memory DB config for tests

Remediated: 8 | Not remediated: 0
Build status: pass | Test suite: pass (1 test, 0 failures)

Review & Testing Checklist for Human

• CSRF protection: Verify all POST forms include CSRF tokens by inspecting rendered HTML (check for _csrf hidden input). Test that submitting a form without a valid CSRF token is rejected (403).
• Negative amount bypass: Try depositing/withdrawing/transferring negative or zero amounts — should get "Amount must be positive" error.
• Registration validation: Try registering with username < 3 chars or password < 8 chars — should get validation errors. Try registering a duplicate username — should get generic message (not "Username already exists").
• Logout: Verify logout button works as a POST form (not a GET link). Confirm navigating to /logout via GET no longer logs out.
• MySQL connector: If deploying to production with MySQL, verify the new com.mysql:mysql-connector-j:9.1.0 connects properly.

Notes

• Added com.h2database:h2 as a test-scoped dependency and src/test/resources/application.properties to enable the existing @SpringBootTest context test to run without a MySQL instance.
• The logout AntPathRequestMatcher now requires POST method, matching the new form-based logout in the templates.
• Branch: devin/1777433096-security-remediation

Link to Devin session: https://app.devin.ai/sessions/c59e301e861b46508257802ae123bf52
Requested by: @angelalincog

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[staging-devin-ai-integration]

Devin Review

Status	Commit
⚪ Not started	—

💡 Connect your GitHub account to enable automatic code reviews.