Recipe Name:
Security Misconfiguration: XSS protection: Add CSP header - XXssConfig
Description:
Add a CSP header for additional protection agains XSS and data injection
Level:
info
Language:
  • java
Tags:
  • Spring
  • security
  • framework specific
  • Spring Security
  • web
  • XSS
  • OWASP Top 10
Documentation

xssProtection will prevent the browser from rendering content when a Cross-Site Scripting attack is being detected. However, this will not work for browsers which do not use the X-XSS protection header. Adding a Content-Security-Policy header will provide additional protection against XSS attacks and data injections.

Before
http.headers().xssProtection();
After
http.headers().xssProtection().and().contentSecurityPolicy("script-src 'self'");
References
Recipe
id: scw:spring:xss:XXssConfig
version: 10
metadata:
  name: 'Security Misconfiguration: XSS protection: Add CSP header - XXssConfig'
  shortDescription: Add a CSP header for additional protection agains XSS and data injection
  level: info
  language: java
  scwCategory: xss:generic
  enabled: true
  descriptionFile: descriptions/SpringSecurityHeadersaddCSPheader.html
  tags: Spring;security;framework specific;Spring Security;web;XSS;OWASP Top 10
search:
  methodcall:
    args:
      1:
        value:
          stringified: "true"
    in:
      typeDeclaration:
        super:
          name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
    name:
      matches: xssProtectionEnabled|block
    anyOf:
    - not:
        followedBy:
          methodcall: {}
    - followedBy:
        methodcall:
          not:
            followedBy:
              methodcall:
                name: contentSecurityPolicy
          name: and
    declaration:
      type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
availableFixes:
- name: Add a CSP header
  actions:
  - rewrite:
      to: '{{{ . }}}.and().contentSecurityPolicy("script-src ''self''")'