Recipe Name:
Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()
Description:
Disabling Spring Security default headers makes the application vulnerable to clickjackin
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- web
- Spring Security
- Clickjacking
- OWASP Top 10
Documentation
Spring Security by default protects against clickjacking by disabling the rendering of a page within an iframe. It does so by setting the X-Frame-Options header to DENY.
Beforehttp.headers().frameOptions().disable();After
http.headers().frameOptions();References
Recipe
id: scw:spring:clickjacking-disabled-header
version: 10
metadata:
name: 'Security Misconfiguration: Clickjacking protection: Disabled Header - frameOptions()'
shortDescription: Disabling Spring Security default headers makes the application vulnerable to clickjackin
level: warning
language: java
scwCategory: misconfig:clickjack
enabled: true
descriptionFile: descriptions/SecurityMisconfigurationDisabledclickjackingprotectioninSpringSecurity-frameOptions.html
tags: Spring;security;framework specific;web;Spring Security;Clickjacking;OWASP Top 10
search:
methodcall:
in:
typeDeclaration:
super:
name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
name: disable
declaration:
type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig
availableFixes:
- name: Enable default headers
actions:
- rewrite:
to: '{{{ qualifier }}}'