Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS protection should be set to 0 by default per updated OWASP recommendation #9631

Closed
candrews opened this issue Apr 13, 2021 · 3 comments
Closed

XSS protection should be set to 0 by default per updated OWASP recommendation #9631

candrews opened this issue Apr 13, 2021 · 3 comments
Assignees
@rwinch @Kehrlann
Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Milestone
6.0.0-RC1

Comments

@candrews
Copy link
Contributor

Expected Behavior

By default, Spring Security should send this HTTP header:
X-XSS-Protection: 0

Current Behavior

By default, Spring Security sends this HTTP header:
X-XSS-Protection: 1; mode=block

Context
OWASP has updated its recommendation regarding the X-XSS-Protection HTTP header.

OWASP used to recommend the header be set to 1; mode=block, which is what Spring Security does by default today. See https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers-xss-protection

However, they now recommend the header be set to 0

See OWASP/CheatSheetSeries#376
@candrews candrews added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 13, 2021
@candrews candrews changed the title XSS protection should be disabled by default per update OWASP recommendation XSS protection should be disabled by default per updated OWASP recommendation Apr 13, 2021
@rwinch rwinch added this to the 6.x milestone Apr 13, 2021
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 13, 2021
@rwinch
Copy link
Member

rwinch commented Apr 13, 2021

Thanks for the report. Given this breaks passivity, I've assigned it for the 6.x release

@jzheaux jzheaux mentioned this issue Jan 24, 2022
Closed
@blacelle
Copy link

While this can be easily configured in HeadersConfigurer.xssProtection():

.xssProtection()
.xssProtectionEnabled(false)

It is more complicated with ServerHttpSecurity.HeaderSpec.xssProtection() as the header can only be removed (instead of configured to 0 / the recommended value).

@rwinch rwinch changed the title XSS protection should be disabled by default per updated OWASP recommendation XSS protection should be set to 0 by default per updated OWASP recommendation Jun 6, 2022
@rwinch rwinch self-assigned this Jun 14, 2022
@Kehrlann
Copy link
Contributor

Hey there 👋 I'm interested in picking this one up.

@Kehrlann Kehrlann mentioned this issue Sep 27, 2022
Closed
Kehrlann added a commit to Kehrlann/spring-security that referenced this issue Sep 30, 2022
@Kehrlann
Make X-Xss-Protection configurable through ServerHttpSecurity
a5b23e6 
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue spring-projectsgh-9631
sjohnr pushed a commit that referenced this issue Sep 30, 2022
@Kehrlann @sjohnr
Make X-Xss-Protection configurable through ServerHttpSecurity
9325001 
OWASP recommends using "X-Xss-Protection: 0". The default is currently
"X-Xss-Protection: 1; mode=block". In 6.0, the default will be "0".

This commits adds the ability to configure the xssProtection header
value in ServerHttpSecurity.

This commit deprecates the use of "enabled" and "block" booleans to
configure XSS protection, as the state "!enabled + block" is invalid.
This impacts HttpSecurity.

Issue gh-9631
Kehrlann added a commit to Kehrlann/spring-security that referenced this issue Oct 3, 2022
@Kehrlann
Add X-Xss-Protection headerValue to XML config
8ca88d1 
Issue spring-projectsgh-9631
sjohnr pushed a commit that referenced this issue Oct 3, 2022
@Kehrlann @sjohnr
Add X-Xss-Protection headerValue to XML config
0e215a2 
Issue gh-9631
sjohnr added a commit that referenced this issue Oct 3, 2022
@sjohnr
Add xss-protection.header-value in 6.0
c98de7a 
Issue gh-9631
@Kehrlann Kehrlann mentioned this issue Oct 4, 2022
Closed
@Kehrlann Kehrlann mentioned this issue Oct 6, 2022
Closed
Kehrlann added a commit to Kehrlann/spring-security that referenced this issue Oct 7, 2022
@Kehrlann
Default X-Xss-Protection header value to "0"
a4e8e6f 
Closes spring-projectsgh-9631
@sjohnr sjohnr closed this as completed in 27059ce Oct 7, 2022
@sjohnr sjohnr moved this to Done in Spring Security Team Oct 7, 2022
@sjohnr sjohnr modified the milestones: 6.0.x, 6.0.0-RC1 Oct 17, 2022
@skynavga skynavga mentioned this issue May 3, 2023
Closed
@hiji hiji mentioned this issue Dec 4, 2023
Merged
8 tasks
@sttomm sttomm mentioned this issue Jul 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

@Kehrlann Kehrlann

Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.0.0-RC1
Development

Successfully merging a pull request may close this issue.

Default X-Xss-Protection header value to "0" Kehrlann/spring-security
5 participants
@candrews @rwinch @blacelle @sjohnr @Kehrlann