Information Security 11 min read

Secure API Calls with Spring Boot Starter Encrypt and JavaScript AES

This article explains how to protect data exchanged between front‑end and back‑end services by using HTTPS, request signing, SSL pinning, and a Spring Boot starter that transparently encrypts/decrypts all API traffic with AES, complemented by JavaScript AES utilities and Axios interceptors for front‑end encryption.

Senior Brother's Insights

Jun 8, 2018

Secure API Calls with Spring Boot Starter Encrypt and JavaScript AES

API security considerations

Use HTTPS to encrypt transport layer.

Sign request parameters to detect tampering.

Validate authentication on every request.

Apply SSL pinning in mobile clients to prevent packet capture.

Encrypt request payloads and response bodies.

Combine the above techniques as needed for defense‑in‑depth.

Spring Boot transparent AES encryption starter

GitHub repository: https://github.com/yinjihuan/spring-boot-starter-encrypt

Add the starter as a Maven/Gradle dependency and enable it by annotating the main class with @EnableEncrypt:

@EnableEncrypt
@SpringBootApplication
public class App {
    public static void main(String[] args) {
        SpringApplication.run(App.class, args);
    }
}

Configure the 16‑byte AES key and optional debug mode in application.properties:

spring.encrypt.key=abcdef0123456789
spring.encrypt.debug=false

spring.encrypt.key

– 16‑character AES key (must be exactly 16 bytes for AES‑128). spring.encrypt.debug – When true, encryption is bypassed to simplify debugging.

Controller annotations

Place @Encrypt on a controller method to encrypt the response body automatically. Use @Decrypt on a method that receives an encrypted request body.

@Encrypt
@GetMapping("/list")
public Response queryNews(String city) {
    return Response.ok(city);
}

@Decrypt
@PostMapping("/save")
public Response savePageLog(@RequestBody PageLogParam logParam) {
    pageLogService.save(logParam);
    return Response.ok();
}

Client‑side encryption with CryptoJS and Axios

Use CryptoJS (AES/ECB/PKCS7) with the same 16‑byte key as the server. The key is parsed as Latin‑1 bytes.

var key = CryptoJS.enc.Latin1.parse('abcdef0123456789');
var iv  = CryptoJS.enc.Latin1.parse('abcdef0123456789'); // not used in ECB mode

function EncryptData(data) {
    var src = CryptoJS.Utf8.parse(data);
    var encrypted = CryptoJS.AES.encrypt(src, key, {
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    return encrypted.toString(); // Base64 string
}

function DecryptData(cipher) {
    var decrypted = CryptoJS.AES.decrypt(cipher, key, {
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.Pkcs7
    });
    var json = CryptoJS.enc.Utf8.stringify(decrypted);
    return JSON.parse(json);
}

Configure Axios interceptors to apply encryption to all POST requests and decryption to string responses.

// Request interceptor – encrypt JSON payloads for POST
axios.interceptors.request.use(function (config) {
    if (config.method === "post") {
        config.data = EncryptData(JSON.stringify(config.data));
    }
    return config;
}, function (error) {
    return Promise.reject(error);
});

// Response interceptor – decrypt when the server returns a string
axios.interceptors.response.use(function (response) {
    if (typeof response.data === "string") {
        response.data = DecryptData(response.data);
    }
    return response;
}, function (error) {
    return Promise.reject(error);
});

Hybrid RSA/AES key exchange (optional)

To protect the symmetric AES key, exchange it using RSA:

Server generates an RSA key pair (pubKey1, priKey1) and returns pubKey1 to the client.

Client generates its own RSA pair (pubKey2, priKey2). It encrypts pubKey2 with pubKey1 and sends the ciphertext to the server.

Server decrypts the ciphertext with priKey1 to obtain pubKey2.

Server generates the AES key (the 16‑byte value used in spring.encrypt.key), encrypts it with pubKey2, and sends the encrypted key to the client.

Client decrypts the AES key with priKey2. Both sides now share the AES key for fast symmetric encryption of API payloads.

Implementation details of the starter

The @EnableEncrypt annotation imports EncryptAutoConfiguration which registers two Spring MVC advice beans: EncryptRequestBodyAdvice implements RequestBodyAdvice to decrypt incoming request bodies when @Decrypt is present. EncryptResponseBodyAdvice implements ResponseBodyAdvice to encrypt outgoing responses when @Encrypt is present.

@Target(ElementType.TYPE)
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Inherited
@Import({EncryptAutoConfiguration.class})
public @interface EnableEncrypt {}

@Configuration
public class EncryptAutoConfiguration {
    @Bean
    public EncryptResponseBodyAdvice encryptResponseBodyAdvice() {
        return new EncryptResponseBodyAdvice();
    }

    @Bean
    public EncryptRequestBodyAdvice encryptRequestBodyAdvice() {
        return new EncryptRequestBodyAdvice();
    }
}

By combining transport‑level TLS, request signing, SSL pinning, and the transparent AES encryption provided by this starter, API communication is protected against eavesdropping, tampering, and replay attacks.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.

JavaScript Spring Boot axios API Security Blockchain AES encryption

Written by

Senior Brother's Insights

A public account focused on workplace, career growth, team management, and self-improvement. The author is the writer of books including 'SpringBoot Technology Insider' and 'Drools 8 Rule Engine: Core Technology and Practice'.

0 followers

Reader feedback

How this landed with the community

Rate this article

Was this worth your time?

Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.