Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: Disabled Headers

Description:
Disabling Spring Security's default headers makes the application vulnerable
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • web
  • Spring Security
  • OWASP Top 10
Documentation

Spring Security provides a default set of HTTP response headers, based on best practices. New headers can easily be added, and the default headers can be modified, and disabled. However, in the latter case it is possible the application is being put at risk of vulnerabilities.

Before
http.headers().disable();
After
http.headers();
References
Recipe
id: scw:spring:disabled-headers
version: 10
metadata:
  name: 'Security Misconfiguration: Disabled Headers'
  shortDescription: Disabling Spring Security's default headers makes the application vulnerable
  level: warning
  language: java
  scwCategory: misconfig:securityfeatures
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisabledHeaders.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    in:
      typeDeclaration:
        super:
          name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    name:
      matches: defaultsDisabled|disable
    declaration:
      type:
        reference:
          matches: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer|AbstractHttpConfigurer
        checkInheritance: true
availableFixes:
- name: Enable default headers
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'