From 683cb49c9dbb9506197ebe2daf9ef515971ba1b6 Mon Sep 17 00:00:00 2001 From: Eleftheria Stein Date: Tue, 14 Jul 2020 16:34:30 +0200 Subject: [PATCH] Add Kotlin WebFlux header configuration to docs Issue gh-8172 --- .../_includes/reactive/exploits/headers.adoc | 262 ++++++++++++++++-- 1 file changed, 234 insertions(+), 28 deletions(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc index 359abb3436..9b1f2041f6 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc @@ -13,11 +13,12 @@ While each of these headers are considered best practice, it should be noted tha You can customize specific headers. For example, assume that you want the defaults except you wish to specify `SAMEORIGIN` for <>. -You can easily do this with the following Java Configuration: +You can easily do this with the following Configuration: -.Customize Default Security Headers with Java Configuration +.Customize Default Security Headers ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -31,14 +32,31 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + frameOptions { + mode = Mode.SAMEORIGIN + } + } + } +} +---- ==== If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults. -An example for both Java configuration is provided below: +An example is provided below: .Disable HTTP Security Response Headers ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -48,6 +66,20 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + disable() + } + } +} +---- ==== [[webflux-headers-cache-control]] @@ -65,7 +97,8 @@ If necessary, you can also disable Spring Security's cache control HTTP response .Cache Control Disabled ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -77,17 +110,34 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + cache { + disable() + } + } + } +} +---- ==== [[webflux-headers-content-type-options]] == Content Type Options Spring Security includes <> headers by default. -However, you can disable it in Java Configuration with: +However, you can disable it with: -.Content Type Options Disabled with Java Configuration +.Content Type Options Disabled ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -99,17 +149,34 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + contentTypeOptions { + disable() + } + } + } +} +---- ==== [[webflux-headers-hsts]] == HTTP Strict Transport Security (HSTS) Spring Security provides the <> header by default. However, you can customize the results explicitly. -For example, the following is an example of explicitly providing HSTS with Java Configuration: +For example, the following is an example of explicitly providing HSTS: -.Strict Transport Security with Java Configuration +.Strict Transport Security ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -125,17 +192,36 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + hsts { + includeSubdomains = true + preload = true + maxAge = Duration.ofDays(365) + } + } + } +} +---- ==== [[webflux-headers-frame-options]] == X-Frame-Options By default, Spring Security disables rendering within an iframe using <>. -You can customize frame options to use the same origin within Java Configuration using the following: +You can customize frame options to use the same origin using the following: .X-Frame-Options: SAMEORIGIN ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -149,16 +235,33 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + frameOptions { + mode = SAMEORIGIN + } + } + } +} +---- ==== [[webflux-headers-xss-protection]] == X-XSS-Protection By default, Spring Security instructs browsers to block reflected XSS attacks using the <. -You can disable `X-XSS-Protection` with the following Java Configuration: +You can disable `X-XSS-Protection` with the following Configuration: .X-XSS-Protection Customization ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -170,6 +273,22 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + xssProtection { + disable() + } + } + } +} +---- ==== [[webflux-headers-csp]] @@ -187,11 +306,12 @@ Content-Security-Policy: script-src 'self' https://trustedscripts.example.com; o ---- ==== -You can enable the CSP header using Java configuration as shown below: +You can enable the CSP header as shown below: .Content Security Policy ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -205,13 +325,30 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + contentSecurityPolicy { + policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/" + } + } + } +} +---- ==== -To enable the CSP `report-only` header, provide the following Java configuration: +To enable the CSP `report-only` header, provide the following configuration: .Content Security Policy Report Only ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -226,17 +363,35 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + contentSecurityPolicy { + policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/" + reportOnly = true + } + } + } +} +---- ==== [[webflux-headers-referrer]] == Referrer Policy Spring Security does not add <> headers by default. -You can enable the Referrer Policy header using Java configuration as shown below: +You can enable the Referrer Policy header using configuration as shown below: -.Referrer Policy Java Configuration +.Referrer Policy Configuration ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -250,6 +405,22 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + referrerPolicy { + policy = ReferrerPolicy.SAME_ORIGIN + } + } + } +} +---- ==== @@ -267,11 +438,12 @@ Feature-Policy: geolocation 'self' ---- ==== -can enable the Feature Policy header using Java configuration as shown below: +You can enable the Feature Policy header as shown below: -.Feature-Policy Java Configuration +.Feature-Policy Configuration ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -283,6 +455,20 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + headers { + featurePolicy("geolocation 'self'") + } + } +} +---- ==== @@ -301,9 +487,10 @@ Clear-Site-Data: "cache", "cookies" can be sent on log out with the following configuration: -.Clear-Site-Data Java Configuration +.Clear-Site-Data Configuration ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -319,4 +506,23 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + val securityContext: ServerLogoutHandler = SecurityContextServerLogoutHandler() + val writer = ClearSiteDataServerHttpHeadersWriter(CACHE, COOKIES) + val clearSiteData: ServerLogoutHandler = HeaderWriterServerLogoutHandler(writer) + val customLogoutHandler = DelegatingServerLogoutHandler(securityContext, clearSiteData) + + return http { + // ... + logout { + logoutHandler = customLogoutHandler + } + } +} +---- ====