Spring security 中的 Xss 保护是否默认启用? [英] Is Xss protection in Spring security enabled by default?
问题描述
我想在我的应用程序中启用 Spring Security XSS 保护.
1) 阅读文档和博客,以及 https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ 表示存在 XSS默认
2) 和 http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html 表示它默认不存在
3) 如果我在扩展 WebSecurityConfigurerAdapter
的类的配置方法中使用 http.headers().xssProtection()
:这是否禁用了所有其他默认标头?
除非您专门包含以下代码以禁用默认值,否则默认值不会被禁用.
http.headers().defaultsDisabled()
Reg point 1 and 2,我的理解是 blog 和 doc 有相同的信息.
X-XSS-Protection: 1;模式=块
<块引用>
过滤(过滤掉XSS攻击)通常默认开启,所以添加header通常只是确保它已启用并指示浏览器要做什么检测到 XSS 攻击时执行.
I want to enable Spring Security XSS protection in my application.
1) Read docs and blogs, and https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ indicates XSS is there by default
2) And http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html indicates it is not there by default
3) If I use http.headers().xssProtection()
in my configure method in an class extending WebSecurityConfigurerAdapter
: does that disable all the other default headers?
The defaults wouldn't be disabled until you specifically include the below code to disable the default.
http.headers().defaultsDisabled()
Reg point 1 and 2, my understanding is both blog and doc have the same information.
X-XSS-Protection: 1; mode=block
The filtering (filtering out XSS attacks) is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected.
这篇关于Spring security 中的 Xss 保护是否默认启用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!