Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2846: Security HTTP Response Headers Configuration Cleanup #3070

Closed
spring-projects-issues opened this issue Feb 10, 2015 · 1 comment
Closed

Comments

@spring-projects-issues
Copy link

@spring-projects-issues spring-projects-issues commented Feb 10, 2015

Rob Winch (Migrated from SEC-2846) said:

Currently the mechanism for customizing HTTP Response Headers has a number of limitations. For example, if one wants to include all default headers but modify the X-Frame-Options to be SAMEORIGIN (i.e. for SockJS support), then they must duplicate a lot of configuration. For example, the Java Config would look like this:

http
    .headers()
        .addHeaderWriter(new XFrameOptionsHeaderWriter(
            XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
        .cacheControl()
        .contentTypeOptions()
        .httpStrictTransportSecurity()
        .xssProtection()

The other issue is that it is not obvious that adding any element will remove all of the default headers. We should strive to be "secure by default".

This change will make it so that the following can be used to include all of the default headers but modify X-Frame-Options to be SAMEORIGIN:

http
    .headers()
        .frameOptions()
          .sameOrigin()
          .and()
        .and()
    ...;

If users really want to disable the default headers it can be done explicitly. For example, the following would only include the "X-Frame-Options: SAMEORIGIN" header:

http
    .headers()
        .defaultsDisabled()
        .frameOptions
            .sameOrigin()
            .and()
        .and()
     ...;

The same configuration in XML:

<http>
    <!-- ... -->

    <headers defaults-disabled="true">
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

One can also disable a single default header. For example, the following will remove the "X-Frame-Options" and keep all of the other defaults:

http
    .headers()
        .frameOptions.disabled()
        .and()
     ...;

The same configuration in XML:

<http>
    <!-- ... -->

    <headers>
        <frame-options disabled="true"/>
    </headers>
</http>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants