5

I look spring web site and want to prevent my website form xss and xframe attack

But My english is not well enough to figure out what to set

Please guide me what else should I setting??

I just add a WebSecurityConfig.java under src/com/test/web/security

Here is my code : 

package com.test.web.security;

import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
@ComponentScan
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
 http
   // ...
   .headers();
}
}
user2492364
  • 6,543
  • 22
  • 77
  • 147
  • 4
    Spring Security headers will prevent IFRAME hijacking and reflected XSS attacks but not normal XSS attacks. XSS relies on an application taking user's input and directly including it in a page's HTML. If the user supplied malicious JavaScript in the input, that JavaScript will execute, thereby hijacking the current user's privileges. XSS protection requires filtering malicious content and always escaping user-provided input. For the first, use a library such as HDIV. For the second, use the built-in features of whatever rendering mechanism you use - JSP, Facelets, etc. – manish Jul 08 '15 at 08:13

1 Answers1

3

If you just specify the same code that you have above, Spring Security should automatically add all of the relevant security headers. Per the docs:

If you are using Spring Security’s Java configuration, all of the default security headers are added by default.

Also:

As soon as you specify any headers that should be included, then only those headers will be include

See details and code samples in this section:

http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#default-security-headers

cliff.meyers
  • 17,666
  • 5
  • 51
  • 66
  • But I use owasp zap to attack,it stiil have those problem – user2492364 Jul 08 '15 at 06:04
  • Per the comment above, Spring Security won't defend against every attack. It will however add HTTP headers to defend against xframe, XSRF and a few other attack vectors. Check the docs for more details. – cliff.meyers Jul 08 '15 at 12:28
  • I have the same [issue](https://stackoverflow.com/questions/33425632/spring-security-configuration-with-spring-boot) - using the Spring Boot defaults I still get the same OWASP ZAP warnings. Were you able to get your security figured out? – sonoerin Nov 03 '15 at 03:04