Quarkus Security Review

Best practices for securing Quarkus applications with authentication, authorization, and input validation.

When to Activate

• Adding authentication (JWT, OIDC, Basic Auth)
• Implementing authorization with @RolesAllowed or SecurityIdentity
• Validating user input (Bean Validation, custom validators)
• Configuring CORS or security headers
• Managing secrets (Vault, environment variables, config sources)
• Adding rate limiting or brute-force protection
• Scanning dependencies for CVEs
• Working with MicroProfile JWT or SmallRye JWT

Authentication

JWT Authentication