Security Misconfiguration: Disabled Headers :: Recipe Details

Recipe Name:

Security Misconfiguration: Disabled Headers

Description:

Disabling Spring Security's default headers makes the application vulnerable

Level:

warning

Language:

java

Tags:

Spring
security
framework specific
web
Spring Security
OWASP Top 10

Documentation

Spring Security provides a default set of HTTP response headers, based on best practices. New headers can easily be added, and the default headers can be modified, and disabled. However, in the latter case it is possible the application is being put at risk of vulnerabilities.

Before

http.headers().disable();

After

http.headers();

References

Spring security docs - Default Headers

Recipe

id: scw:spring:disabled-headers
version: 10
metadata:
  name: 'Security Misconfiguration: Disabled Headers'
  shortDescription: Disabling Spring Security's default headers makes the application vulnerable
  level: warning
  language: java
  scwCategory: misconfig:securityfeatures
  enabled: true
  descriptionFile: descriptions/SecurityMisconfigurationDisabledHeaders.html
  tags: Spring;security;framework specific;web;Spring Security;OWASP Top 10
search:
  methodcall:
    in:
      typeDeclaration:
        super:
          name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    name:
      matches: defaultsDisabled|disable
    declaration:
      type:
        reference:
          matches: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer|AbstractHttpConfigurer
        checkInheritance: true
availableFixes:
- name: Enable default headers
  actions:
  - rewrite:
      to: '{{{ qualifier }}}'