5

I want to enable Spring Security XSS protection in my application.

1) Read docs and blogs, and https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ indicates XSS is there by default

2) And http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html indicates it is not there by default

3) If I use http.headers().xssProtection() in my configure method in an class extending WebSecurityConfigurerAdapter: does that disable all the other default headers?

rpy
  • 3,883
  • 2
  • 18
  • 30
Shirlin
  • 61
  • 1
  • 1
  • 2

1 Answers1

4

The defaults wouldn't be disabled until you specifically include the below code to disable the default.

http.headers().defaultsDisabled()

Reg point 1 and 2, my understanding is both blog and doc have the same information.

X-XSS-Protection: 1; mode=block

The filtering (filtering out XSS attacks) is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected.

notionquest
  • 33,793
  • 4
  • 99
  • 99