Recipe Name:
Security Misconfiguration: XSS protection: Disabled Header - block()
Description:
Protection against XSS is better done by blocking the content instead of filtering it
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Documentation
Spring Security by default filters out content to prevent XSS attacks. By not setting the mode to 'block', it will attempt to still render the content by fixing it. Therefore, it is recommended to block the content entirely.
Beforehttp.headers().xssProtection().block(false);After
http.headers().xssProtection().block(true);References
Recipe
id: scw:spring:xss:XXssConfig-block
version: 10
metadata:
name: 'Security Misconfiguration: XSS protection: Disabled Header - block()'
shortDescription: Protection against XSS is better done by blocking the content instead of filtering it
level: warning
language: java
scwCategory: xss:generic
enabled: true
descriptionFile: descriptions/SecurityMisconfigurationDisabledXSSprotectioninSpringSecurity-block.html
tags: Spring;security;framework specific;Spring Security;web;XSS;OWASP Top 10
search:
methodcall:
args:
1:
type: boolean
value:
stringified: "false"
in:
typeDeclaration:
super:
name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
name: block
declaration:
type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
availableFixes:
- name: Enable XssProtection
actions:
- modifyArguments:
rewrite:
1: "true"