Recipe Name:
Security Misconfiguration: XSS protection: Disabled Header - xssProtectionEnabled()
Description:
Do not disable Spring Security's built-in XSS protection
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
  • XSS
  • OWASP Top 10
Documentation

One of the security headers that Spring Security provides by default is the X-XSS-Protection header. It will prevent browsers from rendering when an XSS attempt is recognised. Keep in mind that this will not eliminate the possibility of XSS attacks completely.

Before
http.headers().xssProtection().xssProtectionEnabled(false);
After
http.headers().xssProtection().xssProtectionEnabled(true);
References
Recipe
id: scw:spring:xss:xssProtectionEnabled
version: 10
metadata:
  name: 'Security Misconfiguration: XSS protection: Disabled Header - xssProtectionEnabled()'
  shortDescription: Do not disable Spring Security's built-in XSS protection
  level: warning
  language: java
  scwCategory: xss:generic
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisabledXSSprotectioninSpringSecurity-xssProtectionEnabled.html
  tags: Spring;security;framework specific;Spring Security;web;XSS;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    in:
      typeDeclaration:
        super:
          name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    name: xssProtectionEnabled
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
availableFixes:
- name: Enable XssProtection
  actions:
  - modifyArguments:
      rewrite:
        1: "true"