How to use spring security to prevent xss and xframe attack

5
votes

I look spring web site and want to prevent my website form xss and xframe attack

But My english is not well enough to figure out what to set

Please guide me what else should I setting??

I just add a WebSecurityConfig.java under src/com/test/web/security

Here is my code : 

package com.test.web.security;

import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
@ComponentScan
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
 http
   // ...
   .headers();
}
}
2
spring-mvcspring-security
Spring Security headers will prevent IFRAME hijacking and reflected XSS attacks but not normal XSS attacks. XSS relies on an application taking user's input and directly including it in a page's HTML. If the user supplied malicious JavaScript in the input, that JavaScript will execute, thereby hijacking the current user's privileges. XSS protection requires filtering malicious content and always escaping user-provided input. For the first, use a library such as HDIV. For the second, use the built-in features of whatever rendering mechanism you use - JSP, Facelets, etc.manish

2 Answers

2
votes

If you just specify the same code that you have above, Spring Security should automatically add all of the relevant security headers. Per the docs:

If you are using Spring Security’s Java configuration, all of the default security headers are added by default.

Also:

As soon as you specify any headers that should be included, then only those headers will be include

See details and code samples in this section:

http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#default-security-headers

-1
votes

Please use following code for example 

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/api/**").hasAnyRole("ADMIN","USER").and().httpBasic().and().headers().disable();
        //.and().formLogin();


    }