Rob Winch
parent
2827af15e0
commit
badb0a08c6
|
|
@ -1,7 +1,7 @@
|
|||
[[ns-requires-channel]]
|
||||
== HTTPS
|
||||
= HTTPS
|
||||
|
||||
=== Adding HTTP/HTTPS Channel Security
|
||||
== Adding HTTP/HTTPS Channel Security
|
||||
If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the `requires-channel` attribute on `<intercept-url>`:
|
||||
|
||||
[source,xml]
|
||||
|
|
|
|||
|
|
@ -1,9 +1,9 @@
|
|||
[[headers]]
|
||||
[[ns-headers]]
|
||||
== Security HTTP Response Headers
|
||||
= Security HTTP Response Headers
|
||||
This section discusses Spring Security's support for adding various security headers to the response.
|
||||
|
||||
=== Default Security Headers
|
||||
== Default Security Headers
|
||||
Spring Security allows users to easily inject the default security headers to assist in protecting their application.
|
||||
The default for Spring Security is to include the following headers:
|
||||
|
||||
|
|
@ -157,7 +157,7 @@ If necessary, you can disable all of the HTTP Security response headers with the
|
|||
----
|
||||
|
||||
[[headers-cache-control]]
|
||||
=== Cache Control
|
||||
== Cache Control
|
||||
In the past Spring Security required you to provide your own cache control for your web application.
|
||||
This seemed reasonable at the time, but browser caches have evolved to include caches for secure connections as well.
|
||||
This means that a user may view an authenticated page, log out, and then a malicious user can use the browser history to view the cached page.
|
||||
|
|
@ -229,17 +229,17 @@ public class WebMvcConfiguration implements WebMvcConfigurer {
|
|||
----
|
||||
|
||||
[[headers-content-type-options]]
|
||||
=== Content Type Options
|
||||
== Content Type Options
|
||||
Historically browsers, including Internet Explorer, would try to guess the content type of a request using https://en.wikipedia.org/wiki/Content_sniffing[content sniffing].
|
||||
This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type.
|
||||
For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
===
|
||||
There are many additional things one should do (i.e. only display the document in a distinct domain, ensure Content-Type header is set, sanitize the document, etc) when allowing content to be uploaded.
|
||||
However, these measures are out of the scope of what Spring Security provides.
|
||||
It is also important to point out when disabling content sniffing, you must specify the content type in order for things to work properly.
|
||||
====
|
||||
===
|
||||
|
||||
The problem with content sniffing is that this allowed malicious users to use polyglots (i.e. a file that is valid as multiple content types) to execute XSS attacks.
|
||||
For example, some sites may allow users to submit a valid postscript document to a website and view it.
|
||||
|
|
@ -289,7 +289,7 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-hsts]]
|
||||
=== HTTP Strict Transport Security (HSTS)
|
||||
== HTTP Strict Transport Security (HSTS)
|
||||
When you type in your bank's website, do you enter mybank.example.com or do you enter https://mybank.example.com[]? If you omit the https protocol, you are potentially vulnerable to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man in the Middle attacks].
|
||||
Even if the website performs a redirect to https://mybank.example.com a malicious user could intercept the initial HTTP request and manipulate the response (i.e. redirect to https://mibank.example.com and steal their credentials).
|
||||
|
||||
|
|
@ -298,10 +298,10 @@ Once mybank.example.com is added as a https://tools.ietf.org/html/rfc6797#sectio
|
|||
This greatly reduces the possibility of a Man in the Middle attack occurring.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
===
|
||||
In accordance with https://tools.ietf.org/html/rfc6797#section-7.2[RFC6797], the HSTS header is only injected into HTTPS responses.
|
||||
In order for the browser to acknowledge the header, the browser must first trust the CA that signed the SSL certificate used to make the connection (not just the SSL certificate).
|
||||
====
|
||||
===
|
||||
|
||||
One way for a site to be marked as a HSTS host is to have the host preloaded into the browser.
|
||||
Another is to add the "Strict-Transport-Security" header to the response.
|
||||
|
|
@ -359,7 +359,7 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-hpkp]]
|
||||
=== HTTP Public Key Pinning (HPKP)
|
||||
== HTTP Public Key Pinning (HPKP)
|
||||
HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent Man in the Middle (MITM) attacks with forged certificates.
|
||||
|
||||
To ensure the authenticity of a server's public key used in TLS sessions, this public key is wrapped into a X.509 certificate which is usually signed by a certificate authority (CA).
|
||||
|
|
@ -372,9 +372,9 @@ When the client visits the server again, it expects a certificate containing a p
|
|||
If the server delivers an unknown public key, the client should present a warning to the user.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
===
|
||||
Because the user-agent needs to validate the pins against the SSL certificate chain, the HPKP header is only injected into HTTPS responses.
|
||||
====
|
||||
===
|
||||
|
||||
Enabling this feature for your site is as simple as returning the Public-Key-Pins HTTP header when your site is accessed over HTTPS.
|
||||
For example, the following would instruct the user-agent to only report pin validation failures to a given URI (via the https://tools.ietf.org/html/rfc7469#section-2.1.4[*_report-uri_*] directive) for 2 pins:
|
||||
|
|
@ -435,16 +435,16 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-frame-options]]
|
||||
=== X-Frame-Options
|
||||
== X-Frame-Options
|
||||
Allowing your website to be added to a frame can be a security issue.
|
||||
For example, using clever CSS styling users could be tricked into clicking on something that they were not intending (https://www.youtube.com/watch?v=3mk0RySeNsU[video demo]).
|
||||
For example, a user that is logged into their bank might click a button that grants access to other users.
|
||||
This sort of attack is known as https://en.wikipedia.org/wiki/Clickjacking[Clickjacking].
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
===
|
||||
Another modern approach to dealing with clickjacking is to use <<headers-csp>>.
|
||||
====
|
||||
===
|
||||
|
||||
There are a number ways to mitigate clickjacking attacks.
|
||||
For example, to protect legacy browsers from clickjacking attacks you can use https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script[frame breaking code].
|
||||
|
|
@ -499,7 +499,7 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-xss-protection]]
|
||||
=== X-XSS-Protection
|
||||
== X-XSS-Protection
|
||||
Some browsers have built in support for filtering out https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)[reflected XSS attacks].
|
||||
This is by no means foolproof, but does assist in XSS protection.
|
||||
|
||||
|
|
@ -553,17 +553,17 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-csp]]
|
||||
=== Content Security Policy (CSP)
|
||||
== Content Security Policy (CSP)
|
||||
|
||||
https://www.w3.org/TR/CSP2/[Content Security Policy (CSP)] is a mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS).
|
||||
CSP is a declarative policy that provides a facility for web application authors to declare and ultimately inform the client (user-agent) about the sources from which the web application expects to load resources.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
===
|
||||
Content Security Policy is not intended to solve all content injection vulnerabilities.
|
||||
Instead, CSP can be leveraged to help reduce the harm caused by content injection attacks.
|
||||
As a first line of defense, web application authors should validate their input and encode their output.
|
||||
====
|
||||
===
|
||||
|
||||
A web application may employ the use of CSP by including one of the following HTTP headers in the response:
|
||||
|
||||
|
|
@ -606,7 +606,7 @@ Content-Security-Policy-Report-Only: script-src 'self' https://trustedscripts.ex
|
|||
If the site violates this policy, by attempting to load a script from _evil.com_, the user-agent will send a violation report to the declared URL specified by the _report-uri_ directive, but still allow the violating resource to load nevertheless.
|
||||
|
||||
[[headers-csp-configure]]
|
||||
==== Configuring Content Security Policy
|
||||
=== Configuring Content Security Policy
|
||||
|
||||
It's important to note that Spring Security *_does not add_* Content Security Policy by default.
|
||||
The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources.
|
||||
|
|
@ -695,7 +695,7 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-csp-links]]
|
||||
==== Additional Resources
|
||||
=== Additional Resources
|
||||
|
||||
Applying Content Security Policy to a web application is often a non-trivial undertaking.
|
||||
The following resources may provide further assistance in developing effective security policies for your site.
|
||||
|
|
@ -707,7 +707,7 @@ https://developer.mozilla.org/en-US/docs/Web/Security/CSP[CSP Guide - Mozilla De
|
|||
https://www.w3.org/TR/CSP2/[W3C Candidate Recommendation]
|
||||
|
||||
[[headers-referrer]]
|
||||
=== Referrer Policy
|
||||
== Referrer Policy
|
||||
|
||||
https://www.w3.org/TR/referrer-policy[Referrer Policy] is a mechanism that web applications can leverage to manage the referrer field, which contains the last
|
||||
page the user was on.
|
||||
|
|
@ -722,7 +722,7 @@ Referrer-Policy: same-origin
|
|||
The Referrer-Policy response header instructs the browser to let the destination knows the source where the user was previously.
|
||||
|
||||
[[headers-referrer-configure]]
|
||||
==== Configuring Referrer Policy
|
||||
=== Configuring Referrer Policy
|
||||
|
||||
Spring Security *_doesn't add_* Referrer Policy header by default.
|
||||
|
||||
|
|
@ -764,7 +764,7 @@ WebSecurityConfigurerAdapter {
|
|||
|
||||
|
||||
[[headers-feature]]
|
||||
=== Feature Policy
|
||||
== Feature Policy
|
||||
|
||||
https://wicg.github.io/feature-policy/[Feature Policy] is a mechanism that allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser.
|
||||
|
||||
|
|
@ -777,7 +777,7 @@ With Feature Policy, developers can opt-in to a set of "policies" for the browse
|
|||
These policies restrict what APIs the site can access or modify the browser's default behavior for certain features.
|
||||
|
||||
[[headers-feature-configure]]
|
||||
==== Configuring Feature Policy
|
||||
=== Configuring Feature Policy
|
||||
|
||||
Spring Security *_doesn't add_* Feature Policy header by default.
|
||||
|
||||
|
|
@ -815,7 +815,7 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-clearsitedata]]
|
||||
=== Clear Site Data
|
||||
== Clear Site Data
|
||||
|
||||
https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header:
|
||||
|
||||
|
|
@ -827,7 +827,7 @@ Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
|
|||
This is a nice clean-up action to perform on logout.
|
||||
|
||||
[[headers-clearsitedata-configure]]
|
||||
==== Configuring Clear Site Data
|
||||
=== Configuring Clear Site Data
|
||||
|
||||
Spring Security *_doesn't add_* the Clear Site Data header by default.
|
||||
|
||||
|
|
@ -854,12 +854,12 @@ It's not recommended that you configure this header writer via the `headers()` d
|
|||
The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out.
|
||||
|
||||
[[headers-custom]]
|
||||
=== Custom Headers
|
||||
== Custom Headers
|
||||
Spring Security has mechanisms to make it convenient to add the more common security headers to your application.
|
||||
However, it also provides hooks to enable adding custom headers.
|
||||
|
||||
[[headers-static]]
|
||||
==== Static Headers
|
||||
=== Static Headers
|
||||
There may be times you wish to inject custom security headers into your application that are not supported out of the box.
|
||||
For example, given the following custom security header:
|
||||
|
||||
|
|
@ -902,7 +902,7 @@ WebSecurityConfigurerAdapter {
|
|||
----
|
||||
|
||||
[[headers-writer]]
|
||||
==== Headers Writer
|
||||
=== Headers Writer
|
||||
When the namespace or Java configuration does not support the headers you want, you can create a custom `HeadersWriter` instance or even provide a custom implementation of the `HeadersWriter`.
|
||||
|
||||
Let's take a look at an example of using an custom instance of `XFrameOptionsHeaderWriter`.
|
||||
|
|
@ -951,7 +951,7 @@ WebSecurityConfigurerAdapter {
|
|||
|
||||
|
||||
[[headers-delegatingrequestmatcherheaderwriter]]
|
||||
==== DelegatingRequestMatcherHeaderWriter
|
||||
=== DelegatingRequestMatcherHeaderWriter
|
||||
At times you may want to only write a header for certain requests.
|
||||
For example, perhaps you want to only protect your log in page from being framed.
|
||||
You could use the `DelegatingRequestMatcherHeaderWriter` to do so.
|
||||
|
|
|
|||
Loading…
Reference in New Issue