Security Misconfiguration: Disable Security Features - HSTS :: Recipe Details

Recipe Name:

Security Misconfiguration: Disable Security Features - HSTS

Description:

Enforce HSTS protection against vulnerabilities over HTTP

Level:

error

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security
OWASP Top 10

Documentation

Enforce HSTS protection against vulnerabilities over HTTPS

Disabling httpStrictTransportSecurity() makes the application vulnerable to man-in-the-middle attacks, where an attacker could enforce the use of HTTP, which could allow communication to be intercepted and read. By enabling httpStrictTransportSecurity(), the application will communicate over HTTPS.

Before

http.headers().httpStrictTransportSecurity().disable();

After

http.headers().httpStrictTransportSecurity();

References

Guide to Spring Security HSTS

Recipe

id: scw:spring:security:hsts-disabled
version: 10
metadata:
  name: 'Security Misconfiguration: Disable Security Features - HSTS'
  shortDescription: Enforce HSTS protection against vulnerabilities over HTTP
  level: error
  language: java
  scwCategory: misconfig:securityfeatures
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisableSecurityFeatures-HSTS.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    name: disable
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig
    "on":
      methodcall:
        name: httpStrictTransportSecurity
        declaration:
          type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
availableFixes:
- name: Enable HSTS
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'