Security Misconfiguration: XSS protection: Disabled Header - disable() :: Recipe Details

Recipe Name:

Security Misconfiguration: XSS protection: Disabled Header - disable()

Description:

Do not disable Spring Security's built-in XSS protection

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
Spring Security
web
XSS
OWASP Top 10

Documentation

One of the security headers that Spring Security provides by default is the X-XSS-Protection header. It will prevent browsers from rendering when an XSS attempt is recognised. Keep in mind that this will not eliminate the possibility of XSS attacks completely.

Before

http.headers().xssProtection().disable();

After

http.headers().xssProtection();

References

Recipe

id: scw:spring:xss:XXssConfig-disable
version: 10
metadata:
  name: 'Security Misconfiguration: XSS protection: Disabled Header - disable()'
  shortDescription: Do not disable Spring Security's built-in XSS protection
  level: warning
  language: java
  scwCategory: xss:generic
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisabledXSSprotectioninSpringSecurity.html
  tags: Spring;security;framework specific;Spring Security;web;XSS;OWASP Top 10
search:
  methodcall:
    name: disable
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
    "on":
      methodcall:
        declaration:
          name: xssProtection
          type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
        "on":
          methodcall:
            declaration:
              name: headers
              type: org.springframework.security.config.annotation.web.builders.HttpSecurity
availableFixes:
- name: Enable XssProtection
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'