Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()

Description:
Disabling Spring Security default headers makes the application vulnerable to clickjackin
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • Clickjacking
  • OWASP Top 10
Documentation

Spring Security by default protects against clickjacking by disabling the rendering of a page within an iframe. It does so by setting the X-Frame-Options header to DENY.

Before
http.headers().frameOptions().disable();
After
http.headers().frameOptions();
References
Recipe
id: scw:spring:clickjacking-disabled-header
version: 10
metadata:
  name: 'Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()'
  shortDescription: Disabling Spring Security default headers makes the application vulnerable to clickjackin
  level: warning
  language: java
  scwCategory: misconfig:clickjack
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisabledclickjackingprotectioninSpringSecurity-frameOptions.html
  tags: Spring;security;framework specific;web;Spring Security;Clickjacking;OWASP Top 10
search:
  methodcall:
    in:
      typeDeclaration:
        super:
          name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    name: disable
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig
availableFixes:
- name: Enable default headers
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'