How to Secure API Calls with End-to-End Encryption in Spring Boot and JavaScript

Introduction

In a front‑end/back‑end separated architecture, all communication relies on API calls, making data security a critical concern for both web and mobile applications.

How to Ensure API Data Security

Use HTTPS for transport encryption.

Sign requests to prevent parameter tampering.

Implement identity verification for each request.

Apply SSL pinning on the client to block packet capture.

Encrypt and decrypt all request and response payloads.

Other complementary measures.

Encrypting All Requests and Responses with Spring Boot

A Spring Boot starter ( spring-boot-starter-encrypt) provides built‑in AES encryption. Add the dependency, enable the feature with @EnableEncrypt, and configure the key.

@EnableEncrypt
@SpringBootApplication
public class App {
    public static void main(String[] args) {
        SpringApplication.run(App.class, args);
    }
}

Configuration properties (in application.yml or application.properties):

spring.encrypt.key=abcdef0123456789
spring.encrypt.debug=false

spring.encrypt.key : 16‑byte AES key.

spring.encrypt.debug : When true, encryption is disabled (useful for debugging).

Use annotations to control encryption: @Encrypt on a controller method encrypts the response. @Decrypt on a controller method decrypts the request body.

@Encrypt
@GetMapping("/list")
public Response queryNews(String city) {
    return Response.ok(city);
}

@Decrypt
@PostMapping("/save")
public Response savePageLog(@RequestBody PageLogParam logParam, HttpServletRequest request) {
    pageLogService.save(logParam);
    return Response.ok();
}

Client‑Side Encryption with JavaScript

On the front end, use AES (via CryptoJS) to encrypt POST data and decrypt responses. The key must match the server‑side key.

var key = CryptoJS.enc.Latin1.parse('abcdef0123456789');
var iv  = CryptoJS.enc.Latin1.parse('abcdef0123456789');

function EncryptData(data) {
    var srcs = CryptoJS.Utf8.parse(data);
    var encrypted = CryptoJS.AES.encrypt(srcs, key, {mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7});
    return encrypted.toString();
}

function DecryptData(data) {
    var decrypt = CryptoJS.AES.decrypt(data, key, {mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7});
    var result = JSON.parse(CryptoJS.Utf8.stringify(decrypt).toString());
    return result;
}

Integrate the functions with Axios interceptors to handle all requests and responses automatically:

// Request interceptor
axios.interceptors.request.use(function (config) {
    if (config.method == "post") {
        config.data = EncryptData(JSON.stringify(config.data));
    }
    return config;
}, function (error) {
    return Promise.reject(error);
});

// Response interceptor
axios.interceptors.response.use(function (response) {
    if (typeof response.data == "string") {
        response.data = DecryptData(response.data);
    }
    return response;
}, function (error) {
    return Promise.reject(error);
});

Hybrid RSA/AES Key Exchange (Conceptual Overview)

To protect the symmetric AES key, a typical approach is to exchange it using RSA:

The server generates an RSA key pair (pubkey1, prikey1) and sends the public key to the client.

The client generates its own RSA pair (pubkey2, prikey2), encrypts pubkey2 with pubkey1, and sends the ciphertext to the server.

The server decrypts the ciphertext with prikey1 to obtain pubkey2.

The server creates a random AES key, encrypts it with pubkey2, and returns the ciphertext to the client.

The client decrypts the AES key using prikey2 and then uses this key for subsequent data encryption.

This combination leverages RSA for secure key transport and AES for efficient data encryption.

Spring Boot Starter Internals

The starter registers EncryptRequestBodyAdvice and EncryptResponseBodyAdvice via @Import. These classes implement RequestBodyAdvice and ResponseBodyAdvice to intercept and process request/response bodies automatically.

@Target({ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Inherited
@Import({EncryptAutoConfiguration.class})
public @interface EnableEncrypt {}

@Configuration
@EnableAutoConfiguration
@EnableConfigurationProperties(EncryptProperties.class)
public class EncryptAutoConfiguration {
    @Bean
    public EncryptResponseBodyAdvice encryptResponseBodyAdvice() {
        return new EncryptResponseBodyAdvice();
    }
    @Bean
    public EncryptRequestBodyAdvice encryptRequestBodyAdvice() {
        return new EncryptRequestBodyAdvice();
    }
}

Conclusion

By combining transport‑level security (HTTPS), request signing, SSL pinning, and end‑to‑end payload encryption using AES (with optional RSA key exchange), developers can protect sensitive data from interception and tampering. The Spring Boot starter and JavaScript/Axios integration provide a convenient, annotation‑driven way to enforce these protections across the entire API stack.