gtludwig
Reputation: 5611
Is it possible to implement only XSS prevention in Spring security and leave everything else open?
I'm working on a project where the OAuth2 implementation has not yet been consolidated, but I have been requested to investigate XSS prevention on the platform. Since the security concern is a known vulnerability, can Spring Security be in place to prevent XSS only and disable any form of authorization and authentication?
Upvotes: 0
Views: 342
Answers (1)
jzheaux
Reputation: 7762
Yes, though there may be some things that you will still want, like Spring Security's application firewall.
By default, HttpSecurity will add http basic, form login, CSRF protection, and various security headers, but these can all be configured. The following leaves only the X-XSS-Protection header in place:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) {
http
.csrf().disable()
.headers()
.defaultsDisabled()
.xssProtection()
}
}
Upvotes: 1
Related Questions
- How to prevent from Cross Site Scripting (XSS) attack in Spring Boot application?
- Is Xss protection in Spring security enabled by default?
- Preventing XSS attacks on Spring applications
- Spring: How to add XSS protection to @RequestBody in a RESTful service?
- How to block or protect against XSS for Spring MVC 4 applications without SpringBoot
- How to use spring security to prevent xss and xframe attack
- spring security native xss filter
- Protecting Spring MVC against XSS
- How to prevent XSS attacks with SpringMVC + Jackson Application?
- Prevent XSS in Spring MVC