Recipe Name:
Security Misconfiguration: XSS protection: Add CSP header - xssProtection
Description:
Add a CSP header for additional protection agains XSS and data injection
Level:
info
Language:
- java
Tags:
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Documentation
xssProtection will prevent the browser from rendering content when a Cross-Site Scripting attack is being detected. However, this will not work for browsers which do not use the X-XSS protection header. Adding a Content-Security-Policy header will provide additional protection against XSS attacks and data injections.
http.headers().xssProtection();After
http.headers().xssProtection().and().contentSecurityPolicy("script-src 'self'");
References
Recipe
id: scw:spring:xss:xssProtection
version: 10
metadata:
name: 'Security Misconfiguration: XSS protection: Add CSP header - xssProtection'
shortDescription: Add a CSP header for additional protection agains XSS and data injection
level: info
language: java
scwCategory: xss:generic
enabled: true
descriptionFile: descriptions/SpringSecurityHeadersaddCSPheader.html
tags: Spring;security;framework specific;Spring Security;web;XSS;OWASP Top 10
search:
methodcall:
in:
typeDeclaration:
super:
name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
name:
matches: xssProtection
anyOf:
- not:
followedBy:
methodcall: {}
- followedBy:
methodcall:
not:
followedBy:
methodcall:
name: contentSecurityPolicy
name: and
declaration:
type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer
availableFixes:
- name: Add a CSP header
actions:
- rewrite:
to: '{{{ expressionElement }}}().and().contentSecurityPolicy("script-src ''self''")'