Recipe Name:
Security Misconfiguration: XSS protection: Disabled Header - xssProtectionEnabled()
Description:
Do not disable Spring Security's built-in XSS protection
Level:
warning
Language:
- java
Tags:
- Spring
- security
- framework specific
- Spring Security
- web
- XSS
- OWASP Top 10
Documentation
One of the security headers that Spring Security provides by default is the X-XSS-Protection header. It will prevent browsers from rendering when an XSS attempt is recognised. Keep in mind that this will not eliminate the possibility of XSS attacks completely.
Beforehttp.headers().xssProtection().xssProtectionEnabled(false);After
http.headers().xssProtection().xssProtectionEnabled(true);References
Recipe
id: scw:spring:xss:xssProtectionEnabled
version: 10
metadata:
name: 'Security Misconfiguration: XSS protection: Disabled Header - xssProtectionEnabled()'
shortDescription: Do not disable Spring Security's built-in XSS protection
level: warning
language: java
scwCategory: xss:generic
enabled: true
descriptionFile: descriptions/SecurityMisconfigurationDisabledXSSprotectioninSpringSecurity-xssProtectionEnabled.html
tags: Spring;security;framework specific;Spring Security;web;XSS;OWASP Top 10
search:
methodcall:
args:
1:
type: boolean
value:
stringified: "false"
in:
typeDeclaration:
super:
name: org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
name: xssProtectionEnabled
declaration:
type: org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
availableFixes:
- name: Enable XssProtection
actions:
- modifyArguments:
rewrite:
1: "true"