diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/channel.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/channel.adoc index a06ef552bc..fb1afcf421 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/channel.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/channel.adoc @@ -1,7 +1,7 @@ [[ns-requires-channel]] -== HTTPS += HTTPS -=== Adding HTTP/HTTPS Channel Security +== Adding HTTP/HTTPS Channel Security If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the `requires-channel` attribute on ``: [source,xml] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc index 64b79861b8..44f8db8018 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc @@ -1,9 +1,9 @@ [[headers]] [[ns-headers]] -== Security HTTP Response Headers += Security HTTP Response Headers This section discusses Spring Security's support for adding various security headers to the response. -=== Default Security Headers +== Default Security Headers Spring Security allows users to easily inject the default security headers to assist in protecting their application. The default for Spring Security is to include the following headers: @@ -157,7 +157,7 @@ If necessary, you can disable all of the HTTP Security response headers with the ---- [[headers-cache-control]] -=== Cache Control +== Cache Control In the past Spring Security required you to provide your own cache control for your web application. This seemed reasonable at the time, but browser caches have evolved to include caches for secure connections as well. This means that a user may view an authenticated page, log out, and then a malicious user can use the browser history to view the cached page. @@ -229,17 +229,17 @@ public class WebMvcConfiguration implements WebMvcConfigurer { ---- [[headers-content-type-options]] -=== Content Type Options +== Content Type Options Historically browsers, including Internet Explorer, would try to guess the content type of a request using https://en.wikipedia.org/wiki/Content_sniffing[content sniffing]. This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type. For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it. [NOTE] -==== +=== There are many additional things one should do (i.e. only display the document in a distinct domain, ensure Content-Type header is set, sanitize the document, etc) when allowing content to be uploaded. However, these measures are out of the scope of what Spring Security provides. It is also important to point out when disabling content sniffing, you must specify the content type in order for things to work properly. -==== +=== The problem with content sniffing is that this allowed malicious users to use polyglots (i.e. a file that is valid as multiple content types) to execute XSS attacks. For example, some sites may allow users to submit a valid postscript document to a website and view it. @@ -289,7 +289,7 @@ WebSecurityConfigurerAdapter { ---- [[headers-hsts]] -=== HTTP Strict Transport Security (HSTS) +== HTTP Strict Transport Security (HSTS) When you type in your bank's website, do you enter mybank.example.com or do you enter https://mybank.example.com[]? If you omit the https protocol, you are potentially vulnerable to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man in the Middle attacks]. Even if the website performs a redirect to https://mybank.example.com a malicious user could intercept the initial HTTP request and manipulate the response (i.e. redirect to https://mibank.example.com and steal their credentials). @@ -298,10 +298,10 @@ Once mybank.example.com is added as a https://tools.ietf.org/html/rfc6797#sectio This greatly reduces the possibility of a Man in the Middle attack occurring. [NOTE] -==== +=== In accordance with https://tools.ietf.org/html/rfc6797#section-7.2[RFC6797], the HSTS header is only injected into HTTPS responses. In order for the browser to acknowledge the header, the browser must first trust the CA that signed the SSL certificate used to make the connection (not just the SSL certificate). -==== +=== One way for a site to be marked as a HSTS host is to have the host preloaded into the browser. Another is to add the "Strict-Transport-Security" header to the response. @@ -359,7 +359,7 @@ WebSecurityConfigurerAdapter { ---- [[headers-hpkp]] -=== HTTP Public Key Pinning (HPKP) +== HTTP Public Key Pinning (HPKP) HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent Man in the Middle (MITM) attacks with forged certificates. To ensure the authenticity of a server's public key used in TLS sessions, this public key is wrapped into a X.509 certificate which is usually signed by a certificate authority (CA). @@ -372,9 +372,9 @@ When the client visits the server again, it expects a certificate containing a p If the server delivers an unknown public key, the client should present a warning to the user. [NOTE] -==== +=== Because the user-agent needs to validate the pins against the SSL certificate chain, the HPKP header is only injected into HTTPS responses. -==== +=== Enabling this feature for your site is as simple as returning the Public-Key-Pins HTTP header when your site is accessed over HTTPS. For example, the following would instruct the user-agent to only report pin validation failures to a given URI (via the https://tools.ietf.org/html/rfc7469#section-2.1.4[*_report-uri_*] directive) for 2 pins: @@ -435,16 +435,16 @@ WebSecurityConfigurerAdapter { ---- [[headers-frame-options]] -=== X-Frame-Options +== X-Frame-Options Allowing your website to be added to a frame can be a security issue. For example, using clever CSS styling users could be tricked into clicking on something that they were not intending (https://www.youtube.com/watch?v=3mk0RySeNsU[video demo]). For example, a user that is logged into their bank might click a button that grants access to other users. This sort of attack is known as https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]. [NOTE] -==== +=== Another modern approach to dealing with clickjacking is to use <>. -==== +=== There are a number ways to mitigate clickjacking attacks. For example, to protect legacy browsers from clickjacking attacks you can use https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script[frame breaking code]. @@ -499,7 +499,7 @@ WebSecurityConfigurerAdapter { ---- [[headers-xss-protection]] -=== X-XSS-Protection +== X-XSS-Protection Some browsers have built in support for filtering out https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)[reflected XSS attacks]. This is by no means foolproof, but does assist in XSS protection. @@ -553,17 +553,17 @@ WebSecurityConfigurerAdapter { ---- [[headers-csp]] -=== Content Security Policy (CSP) +== Content Security Policy (CSP) https://www.w3.org/TR/CSP2/[Content Security Policy (CSP)] is a mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS). CSP is a declarative policy that provides a facility for web application authors to declare and ultimately inform the client (user-agent) about the sources from which the web application expects to load resources. [NOTE] -==== +=== Content Security Policy is not intended to solve all content injection vulnerabilities. Instead, CSP can be leveraged to help reduce the harm caused by content injection attacks. As a first line of defense, web application authors should validate their input and encode their output. -==== +=== A web application may employ the use of CSP by including one of the following HTTP headers in the response: @@ -606,7 +606,7 @@ Content-Security-Policy-Report-Only: script-src 'self' https://trustedscripts.ex If the site violates this policy, by attempting to load a script from _evil.com_, the user-agent will send a violation report to the declared URL specified by the _report-uri_ directive, but still allow the violating resource to load nevertheless. [[headers-csp-configure]] -==== Configuring Content Security Policy +=== Configuring Content Security Policy It's important to note that Spring Security *_does not add_* Content Security Policy by default. The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources. @@ -695,7 +695,7 @@ WebSecurityConfigurerAdapter { ---- [[headers-csp-links]] -==== Additional Resources +=== Additional Resources Applying Content Security Policy to a web application is often a non-trivial undertaking. The following resources may provide further assistance in developing effective security policies for your site. @@ -707,7 +707,7 @@ https://developer.mozilla.org/en-US/docs/Web/Security/CSP[CSP Guide - Mozilla De https://www.w3.org/TR/CSP2/[W3C Candidate Recommendation] [[headers-referrer]] -=== Referrer Policy +== Referrer Policy https://www.w3.org/TR/referrer-policy[Referrer Policy] is a mechanism that web applications can leverage to manage the referrer field, which contains the last page the user was on. @@ -722,7 +722,7 @@ Referrer-Policy: same-origin The Referrer-Policy response header instructs the browser to let the destination knows the source where the user was previously. [[headers-referrer-configure]] -==== Configuring Referrer Policy +=== Configuring Referrer Policy Spring Security *_doesn't add_* Referrer Policy header by default. @@ -764,7 +764,7 @@ WebSecurityConfigurerAdapter { [[headers-feature]] -=== Feature Policy +== Feature Policy https://wicg.github.io/feature-policy/[Feature Policy] is a mechanism that allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. @@ -777,7 +777,7 @@ With Feature Policy, developers can opt-in to a set of "policies" for the browse These policies restrict what APIs the site can access or modify the browser's default behavior for certain features. [[headers-feature-configure]] -==== Configuring Feature Policy +=== Configuring Feature Policy Spring Security *_doesn't add_* Feature Policy header by default. @@ -815,7 +815,7 @@ WebSecurityConfigurerAdapter { ---- [[headers-clearsitedata]] -=== Clear Site Data +== Clear Site Data https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header: @@ -827,7 +827,7 @@ Clear-Site-Data: "cache", "cookies", "storage", "executionContexts" This is a nice clean-up action to perform on logout. [[headers-clearsitedata-configure]] -==== Configuring Clear Site Data +=== Configuring Clear Site Data Spring Security *_doesn't add_* the Clear Site Data header by default. @@ -854,12 +854,12 @@ It's not recommended that you configure this header writer via the `headers()` d The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out. [[headers-custom]] -=== Custom Headers +== Custom Headers Spring Security has mechanisms to make it convenient to add the more common security headers to your application. However, it also provides hooks to enable adding custom headers. [[headers-static]] -==== Static Headers +=== Static Headers There may be times you wish to inject custom security headers into your application that are not supported out of the box. For example, given the following custom security header: @@ -902,7 +902,7 @@ WebSecurityConfigurerAdapter { ---- [[headers-writer]] -==== Headers Writer +=== Headers Writer When the namespace or Java configuration does not support the headers you want, you can create a custom `HeadersWriter` instance or even provide a custom implementation of the `HeadersWriter`. Let's take a look at an example of using an custom instance of `XFrameOptionsHeaderWriter`. @@ -951,7 +951,7 @@ WebSecurityConfigurerAdapter { [[headers-delegatingrequestmatcherheaderwriter]] -==== DelegatingRequestMatcherHeaderWriter +=== DelegatingRequestMatcherHeaderWriter At times you may want to only write a header for certain requests. For example, perhaps you want to only protect your log in page from being framed. You could use the `DelegatingRequestMatcherHeaderWriter` to do so.