Sensei Logo Sensei Hub

Recipe - Security Misconfiguration: XSS protection: Disabled Header - block()

Description:
Protection against XSS is better done by blocking the content instead of filtering it
Level:
warning
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
  • XSS
  • OWASP Top 10
Documentation

Spring Security by default filters out content to prevent XSS attacks. By not setting the mode to 'block', it will attempt to still render the content by fixing it. Therefore, it is recommended to block the content entirely.

Before
http.headers().xssProtection().block(false);
After
http.headers().xssProtection().block(true);
References
Recipe
id: scw:spring:xss:XXssConfig-block
version: 10
metadata:
  name: 'Security Misconfiguration: XSS protection: Disabled Header - block()'
  shortDescription: Protection against XSS is better done by blocking the content instead of filtering it
  level: warning
  language: java
  scwCategory: xss:generic
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisabledXSSprotectioninSpringSecurity-block.html
  tags: Spring;security;framework specific;Spring Security;web;XSS;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    in:
      typeDeclaration:
        super:
          name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    name: block
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
availableFixes:
- name: Enable XssProtection
  actions:
  - modifyArguments:
      rewrite:
        1: "true"