Fix exploits indendation

Issue gh-2567
This commit is contained in:
Rob Winch 2019-10-28 16:00:51 -05:00
parent 2827af15e0
commit badb0a08c6
2 changed files with 33 additions and 33 deletions

View File

@ -1,7 +1,7 @@
[[ns-requires-channel]] [[ns-requires-channel]]
== HTTPS = HTTPS
=== Adding HTTP/HTTPS Channel Security == Adding HTTP/HTTPS Channel Security
If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the `requires-channel` attribute on `<intercept-url>`: If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the `requires-channel` attribute on `<intercept-url>`:
[source,xml] [source,xml]

View File

@ -1,9 +1,9 @@
[[headers]] [[headers]]
[[ns-headers]] [[ns-headers]]
== Security HTTP Response Headers = Security HTTP Response Headers
This section discusses Spring Security's support for adding various security headers to the response. This section discusses Spring Security's support for adding various security headers to the response.
=== Default Security Headers == Default Security Headers
Spring Security allows users to easily inject the default security headers to assist in protecting their application. Spring Security allows users to easily inject the default security headers to assist in protecting their application.
The default for Spring Security is to include the following headers: The default for Spring Security is to include the following headers:
@ -157,7 +157,7 @@ If necessary, you can disable all of the HTTP Security response headers with the
---- ----
[[headers-cache-control]] [[headers-cache-control]]
=== Cache Control == Cache Control
In the past Spring Security required you to provide your own cache control for your web application. In the past Spring Security required you to provide your own cache control for your web application.
This seemed reasonable at the time, but browser caches have evolved to include caches for secure connections as well. This seemed reasonable at the time, but browser caches have evolved to include caches for secure connections as well.
This means that a user may view an authenticated page, log out, and then a malicious user can use the browser history to view the cached page. This means that a user may view an authenticated page, log out, and then a malicious user can use the browser history to view the cached page.
@ -229,17 +229,17 @@ public class WebMvcConfiguration implements WebMvcConfigurer {
---- ----
[[headers-content-type-options]] [[headers-content-type-options]]
=== Content Type Options == Content Type Options
Historically browsers, including Internet Explorer, would try to guess the content type of a request using https://en.wikipedia.org/wiki/Content_sniffing[content sniffing]. Historically browsers, including Internet Explorer, would try to guess the content type of a request using https://en.wikipedia.org/wiki/Content_sniffing[content sniffing].
This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type. This allowed browsers to improve the user experience by guessing the content type on resources that had not specified the content type.
For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it. For example, if a browser encountered a JavaScript file that did not have the content type specified, it would be able to guess the content type and then execute it.
[NOTE] [NOTE]
==== ===
There are many additional things one should do (i.e. only display the document in a distinct domain, ensure Content-Type header is set, sanitize the document, etc) when allowing content to be uploaded. There are many additional things one should do (i.e. only display the document in a distinct domain, ensure Content-Type header is set, sanitize the document, etc) when allowing content to be uploaded.
However, these measures are out of the scope of what Spring Security provides. However, these measures are out of the scope of what Spring Security provides.
It is also important to point out when disabling content sniffing, you must specify the content type in order for things to work properly. It is also important to point out when disabling content sniffing, you must specify the content type in order for things to work properly.
==== ===
The problem with content sniffing is that this allowed malicious users to use polyglots (i.e. a file that is valid as multiple content types) to execute XSS attacks. The problem with content sniffing is that this allowed malicious users to use polyglots (i.e. a file that is valid as multiple content types) to execute XSS attacks.
For example, some sites may allow users to submit a valid postscript document to a website and view it. For example, some sites may allow users to submit a valid postscript document to a website and view it.
@ -289,7 +289,7 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-hsts]] [[headers-hsts]]
=== HTTP Strict Transport Security (HSTS) == HTTP Strict Transport Security (HSTS)
When you type in your bank's website, do you enter mybank.example.com or do you enter https://mybank.example.com[]? If you omit the https protocol, you are potentially vulnerable to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man in the Middle attacks]. When you type in your bank's website, do you enter mybank.example.com or do you enter https://mybank.example.com[]? If you omit the https protocol, you are potentially vulnerable to https://en.wikipedia.org/wiki/Man-in-the-middle_attack[Man in the Middle attacks].
Even if the website performs a redirect to https://mybank.example.com a malicious user could intercept the initial HTTP request and manipulate the response (i.e. redirect to https://mibank.example.com and steal their credentials). Even if the website performs a redirect to https://mybank.example.com a malicious user could intercept the initial HTTP request and manipulate the response (i.e. redirect to https://mibank.example.com and steal their credentials).
@ -298,10 +298,10 @@ Once mybank.example.com is added as a https://tools.ietf.org/html/rfc6797#sectio
This greatly reduces the possibility of a Man in the Middle attack occurring. This greatly reduces the possibility of a Man in the Middle attack occurring.
[NOTE] [NOTE]
==== ===
In accordance with https://tools.ietf.org/html/rfc6797#section-7.2[RFC6797], the HSTS header is only injected into HTTPS responses. In accordance with https://tools.ietf.org/html/rfc6797#section-7.2[RFC6797], the HSTS header is only injected into HTTPS responses.
In order for the browser to acknowledge the header, the browser must first trust the CA that signed the SSL certificate used to make the connection (not just the SSL certificate). In order for the browser to acknowledge the header, the browser must first trust the CA that signed the SSL certificate used to make the connection (not just the SSL certificate).
==== ===
One way for a site to be marked as a HSTS host is to have the host preloaded into the browser. One way for a site to be marked as a HSTS host is to have the host preloaded into the browser.
Another is to add the "Strict-Transport-Security" header to the response. Another is to add the "Strict-Transport-Security" header to the response.
@ -359,7 +359,7 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-hpkp]] [[headers-hpkp]]
=== HTTP Public Key Pinning (HPKP) == HTTP Public Key Pinning (HPKP)
HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent Man in the Middle (MITM) attacks with forged certificates. HTTP Public Key Pinning (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent Man in the Middle (MITM) attacks with forged certificates.
To ensure the authenticity of a server's public key used in TLS sessions, this public key is wrapped into a X.509 certificate which is usually signed by a certificate authority (CA). To ensure the authenticity of a server's public key used in TLS sessions, this public key is wrapped into a X.509 certificate which is usually signed by a certificate authority (CA).
@ -372,9 +372,9 @@ When the client visits the server again, it expects a certificate containing a p
If the server delivers an unknown public key, the client should present a warning to the user. If the server delivers an unknown public key, the client should present a warning to the user.
[NOTE] [NOTE]
==== ===
Because the user-agent needs to validate the pins against the SSL certificate chain, the HPKP header is only injected into HTTPS responses. Because the user-agent needs to validate the pins against the SSL certificate chain, the HPKP header is only injected into HTTPS responses.
==== ===
Enabling this feature for your site is as simple as returning the Public-Key-Pins HTTP header when your site is accessed over HTTPS. Enabling this feature for your site is as simple as returning the Public-Key-Pins HTTP header when your site is accessed over HTTPS.
For example, the following would instruct the user-agent to only report pin validation failures to a given URI (via the https://tools.ietf.org/html/rfc7469#section-2.1.4[*_report-uri_*] directive) for 2 pins: For example, the following would instruct the user-agent to only report pin validation failures to a given URI (via the https://tools.ietf.org/html/rfc7469#section-2.1.4[*_report-uri_*] directive) for 2 pins:
@ -435,16 +435,16 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-frame-options]] [[headers-frame-options]]
=== X-Frame-Options == X-Frame-Options
Allowing your website to be added to a frame can be a security issue. Allowing your website to be added to a frame can be a security issue.
For example, using clever CSS styling users could be tricked into clicking on something that they were not intending (https://www.youtube.com/watch?v=3mk0RySeNsU[video demo]). For example, using clever CSS styling users could be tricked into clicking on something that they were not intending (https://www.youtube.com/watch?v=3mk0RySeNsU[video demo]).
For example, a user that is logged into their bank might click a button that grants access to other users. For example, a user that is logged into their bank might click a button that grants access to other users.
This sort of attack is known as https://en.wikipedia.org/wiki/Clickjacking[Clickjacking]. This sort of attack is known as https://en.wikipedia.org/wiki/Clickjacking[Clickjacking].
[NOTE] [NOTE]
==== ===
Another modern approach to dealing with clickjacking is to use <<headers-csp>>. Another modern approach to dealing with clickjacking is to use <<headers-csp>>.
==== ===
There are a number ways to mitigate clickjacking attacks. There are a number ways to mitigate clickjacking attacks.
For example, to protect legacy browsers from clickjacking attacks you can use https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script[frame breaking code]. For example, to protect legacy browsers from clickjacking attacks you can use https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best-for-now_Legacy_Browser_Frame_Breaking_Script[frame breaking code].
@ -499,7 +499,7 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-xss-protection]] [[headers-xss-protection]]
=== X-XSS-Protection == X-XSS-Protection
Some browsers have built in support for filtering out https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)[reflected XSS attacks]. Some browsers have built in support for filtering out https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)[reflected XSS attacks].
This is by no means foolproof, but does assist in XSS protection. This is by no means foolproof, but does assist in XSS protection.
@ -553,17 +553,17 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-csp]] [[headers-csp]]
=== Content Security Policy (CSP) == Content Security Policy (CSP)
https://www.w3.org/TR/CSP2/[Content Security Policy (CSP)] is a mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS). https://www.w3.org/TR/CSP2/[Content Security Policy (CSP)] is a mechanism that web applications can leverage to mitigate content injection vulnerabilities, such as cross-site scripting (XSS).
CSP is a declarative policy that provides a facility for web application authors to declare and ultimately inform the client (user-agent) about the sources from which the web application expects to load resources. CSP is a declarative policy that provides a facility for web application authors to declare and ultimately inform the client (user-agent) about the sources from which the web application expects to load resources.
[NOTE] [NOTE]
==== ===
Content Security Policy is not intended to solve all content injection vulnerabilities. Content Security Policy is not intended to solve all content injection vulnerabilities.
Instead, CSP can be leveraged to help reduce the harm caused by content injection attacks. Instead, CSP can be leveraged to help reduce the harm caused by content injection attacks.
As a first line of defense, web application authors should validate their input and encode their output. As a first line of defense, web application authors should validate their input and encode their output.
==== ===
A web application may employ the use of CSP by including one of the following HTTP headers in the response: A web application may employ the use of CSP by including one of the following HTTP headers in the response:
@ -606,7 +606,7 @@ Content-Security-Policy-Report-Only: script-src 'self' https://trustedscripts.ex
If the site violates this policy, by attempting to load a script from _evil.com_, the user-agent will send a violation report to the declared URL specified by the _report-uri_ directive, but still allow the violating resource to load nevertheless. If the site violates this policy, by attempting to load a script from _evil.com_, the user-agent will send a violation report to the declared URL specified by the _report-uri_ directive, but still allow the violating resource to load nevertheless.
[[headers-csp-configure]] [[headers-csp-configure]]
==== Configuring Content Security Policy === Configuring Content Security Policy
It's important to note that Spring Security *_does not add_* Content Security Policy by default. It's important to note that Spring Security *_does not add_* Content Security Policy by default.
The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources. The web application author must declare the security policy(s) to enforce and/or monitor for the protected resources.
@ -695,7 +695,7 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-csp-links]] [[headers-csp-links]]
==== Additional Resources === Additional Resources
Applying Content Security Policy to a web application is often a non-trivial undertaking. Applying Content Security Policy to a web application is often a non-trivial undertaking.
The following resources may provide further assistance in developing effective security policies for your site. The following resources may provide further assistance in developing effective security policies for your site.
@ -707,7 +707,7 @@ https://developer.mozilla.org/en-US/docs/Web/Security/CSP[CSP Guide - Mozilla De
https://www.w3.org/TR/CSP2/[W3C Candidate Recommendation] https://www.w3.org/TR/CSP2/[W3C Candidate Recommendation]
[[headers-referrer]] [[headers-referrer]]
=== Referrer Policy == Referrer Policy
https://www.w3.org/TR/referrer-policy[Referrer Policy] is a mechanism that web applications can leverage to manage the referrer field, which contains the last https://www.w3.org/TR/referrer-policy[Referrer Policy] is a mechanism that web applications can leverage to manage the referrer field, which contains the last
page the user was on. page the user was on.
@ -722,7 +722,7 @@ Referrer-Policy: same-origin
The Referrer-Policy response header instructs the browser to let the destination knows the source where the user was previously. The Referrer-Policy response header instructs the browser to let the destination knows the source where the user was previously.
[[headers-referrer-configure]] [[headers-referrer-configure]]
==== Configuring Referrer Policy === Configuring Referrer Policy
Spring Security *_doesn't add_* Referrer Policy header by default. Spring Security *_doesn't add_* Referrer Policy header by default.
@ -764,7 +764,7 @@ WebSecurityConfigurerAdapter {
[[headers-feature]] [[headers-feature]]
=== Feature Policy == Feature Policy
https://wicg.github.io/feature-policy/[Feature Policy] is a mechanism that allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser. https://wicg.github.io/feature-policy/[Feature Policy] is a mechanism that allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser.
@ -777,7 +777,7 @@ With Feature Policy, developers can opt-in to a set of "policies" for the browse
These policies restrict what APIs the site can access or modify the browser's default behavior for certain features. These policies restrict what APIs the site can access or modify the browser's default behavior for certain features.
[[headers-feature-configure]] [[headers-feature-configure]]
==== Configuring Feature Policy === Configuring Feature Policy
Spring Security *_doesn't add_* Feature Policy header by default. Spring Security *_doesn't add_* Feature Policy header by default.
@ -815,7 +815,7 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-clearsitedata]] [[headers-clearsitedata]]
=== Clear Site Data == Clear Site Data
https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header: https://www.w3.org/TR/clear-site-data/[Clear Site Data] is a mechanism by which any browser-side data - cookies, local storage, and the like - can be removed when an HTTP response contains this header:
@ -827,7 +827,7 @@ Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
This is a nice clean-up action to perform on logout. This is a nice clean-up action to perform on logout.
[[headers-clearsitedata-configure]] [[headers-clearsitedata-configure]]
==== Configuring Clear Site Data === Configuring Clear Site Data
Spring Security *_doesn't add_* the Clear Site Data header by default. Spring Security *_doesn't add_* the Clear Site Data header by default.
@ -854,12 +854,12 @@ It's not recommended that you configure this header writer via the `headers()` d
The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out. The reason for this is that any session state, say the `JSESSIONID` cookie, would be removed, effectively logging the user out.
[[headers-custom]] [[headers-custom]]
=== Custom Headers == Custom Headers
Spring Security has mechanisms to make it convenient to add the more common security headers to your application. Spring Security has mechanisms to make it convenient to add the more common security headers to your application.
However, it also provides hooks to enable adding custom headers. However, it also provides hooks to enable adding custom headers.
[[headers-static]] [[headers-static]]
==== Static Headers === Static Headers
There may be times you wish to inject custom security headers into your application that are not supported out of the box. There may be times you wish to inject custom security headers into your application that are not supported out of the box.
For example, given the following custom security header: For example, given the following custom security header:
@ -902,7 +902,7 @@ WebSecurityConfigurerAdapter {
---- ----
[[headers-writer]] [[headers-writer]]
==== Headers Writer === Headers Writer
When the namespace or Java configuration does not support the headers you want, you can create a custom `HeadersWriter` instance or even provide a custom implementation of the `HeadersWriter`. When the namespace or Java configuration does not support the headers you want, you can create a custom `HeadersWriter` instance or even provide a custom implementation of the `HeadersWriter`.
Let's take a look at an example of using an custom instance of `XFrameOptionsHeaderWriter`. Let's take a look at an example of using an custom instance of `XFrameOptionsHeaderWriter`.
@ -951,7 +951,7 @@ WebSecurityConfigurerAdapter {
[[headers-delegatingrequestmatcherheaderwriter]] [[headers-delegatingrequestmatcherheaderwriter]]
==== DelegatingRequestMatcherHeaderWriter === DelegatingRequestMatcherHeaderWriter
At times you may want to only write a header for certain requests. At times you may want to only write a header for certain requests.
For example, perhaps you want to only protect your log in page from being framed. For example, perhaps you want to only protect your log in page from being framed.
You could use the `DelegatingRequestMatcherHeaderWriter` to do so. You could use the `DelegatingRequestMatcherHeaderWriter` to do so.