1---
2name: java-springboot
3description: 'Get best practices for developing applications with Spring Boot.'
4---
5 
6# Spring Boot Best Practices
7 
8Your goal is to help me write high-quality Spring Boot applications by following established best practices.
9 
10## Project Setup & Structure
11 
12- **Build Tool:** Use Maven (`pom.xml`) or Gradle (`build.gradle`) for dependency management.
13- **Starters:** Use Spring Boot starters (e.g., `spring-boot-starter-web`, `spring-boot-starter-data-jpa`) to simplify dependency management.
14- **Package Structure:** Organize code by feature/domain (e.g., `com.example.app.order`, `com.example.app.user`) rather than by layer (e.g., `com.example.app.controller`, `com.example.app.service`).
15 
16## Dependency Injection & Components
17 
18- **Constructor Injection:** Always use constructor-based injection for required dependencies. This makes components easier to test and dependencies explicit.
19- **Immutability:** Declare dependency fields as `private final`.
20- **Component Stereotypes:** Use `@Component`, `@Service`, `@Repository`, and `@Controller`/`@RestController` annotations appropriately to define beans.
21 
22## Configuration
23 
24- **Externalized Configuration:** Use `application.yml` (or `application.properties`) for configuration. YAML is often preferred for its readability and hierarchical structure.
25- **Type-Safe Properties:** Use `@ConfigurationProperties` to bind configuration to strongly-typed Java objects.
26- **Profiles:** Use Spring Profiles (`application-dev.yml`, `application-prod.yml`) to manage environment-specific configurations.
27- **Secrets Management:** Do not hardcode secrets. Use environment variables, or a dedicated secret management tool like HashiCorp Vault or AWS Secrets Manager.
28 
29## Web Layer (Controllers)
30 
31- **RESTful APIs:** Design clear and consistent RESTful endpoints.
32- **DTOs (Data Transfer Objects):** Use DTOs to expose and consume data in the API layer. Do not expose JPA entities directly to the client.
33- **Validation:** Use Java Bean Validation (JSR 380) with annotations (`@Valid`, `@NotNull`, `@Size`) on DTOs to validate request payloads.
34- **Error Handling:** Implement a global exception handler using `@ControllerAdvice` and `@ExceptionHandler` to provide consistent error responses.
35 
36## Service Layer
37 
38- **Business Logic:** Encapsulate all business logic within `@Service` classes.
39- **Statelessness:** Services should be stateless.
40- **Transaction Management:** Use `@Transactional` on service methods to manage database transactions declaratively. Apply it at the most granular level necessary.
41 
42## Data Layer (Repositories)
43 
44- **Spring Data JPA:** Use Spring Data JPA repositories by extending `JpaRepository` or `CrudRepository` for standard database operations.
45- **Custom Queries:** For complex queries, use `@Query` or the JPA Criteria API.
46- **Projections:** Use DTO projections to fetch only the necessary data from the database.
47 
48## Logging
49 
50- **SLF4J:** Use the SLF4J API for logging.
51- **Logger Declaration:** `private static final Logger logger = LoggerFactory.getLogger(MyClass.class);`
52- **Parameterized Logging:** Use parameterized messages (`logger.info("Processing user {}...", userId);`) instead of string concatenation to improve performance.
53 
54## Testing
55 
56- **Unit Tests:** Write unit tests for services and components using JUnit 5 and a mocking framework like Mockito.
57- **Integration Tests:** Use `@SpringBootTest` for integration tests that load the Spring application context.
58- **Test Slices:** Use test slice annotations like `@WebMvcTest` (for controllers) or `@DataJpaTest` (for repositories) to test specific parts of the application in isolation.
59- **Testcontainers:** Consider using Testcontainers for reliable integration tests with real databases, message brokers, etc.
60 
61## Security
62 
63- **Spring Security:** Use Spring Security for authentication and authorization.
64- **Password Encoding:** Always encode passwords using a strong hashing algorithm like BCrypt.
65- **Input Sanitization:** Prevent SQL injection by using Spring Data JPA or parameterized queries. Prevent Cross-Site Scripting (XSS) by properly encoding output.
66