Spring security 中的 Xss 保护是否默认启用? [英] Is Xss protection in Spring security enabled by default?

问题描述

我想在我的应用程序中启用 Spring Security XSS 保护.

1) 阅读文档和博客，以及 https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ 表示存在 XSS默认

2) 和 http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html 表示它默认不存在

3) 如果我在扩展 WebSecurityConfigurerAdapter 的类的配置方法中使用 http.headers().xssProtection():这是否禁用了所有其他默认标头?

解决方案

除非您专门包含以下代码以禁用默认值，否则默认值不会被禁用.

http.headers().defaultsDisabled()

Reg point 1 and 2，我的理解是 blog 和 doc 有相同的信息.

X-XSS-Protection: 1;模式=块

<块引用>

过滤(过滤掉XSS攻击)通常默认开启，所以添加header通常只是确保它已启用并指示浏览器要做什么检测到 XSS 攻击时执行.

I want to enable Spring Security XSS protection in my application.

1) Read docs and blogs, and https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ indicates XSS is there by default

2) And http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html indicates it is not there by default

3) If I use http.headers().xssProtection() in my configure method in an class extending WebSecurityConfigurerAdapter: does that disable all the other default headers?

解决方案

The defaults wouldn't be disabled until you specifically include the below code to disable the default.

http.headers().defaultsDisabled()

Reg point 1 and 2, my understanding is both blog and doc have the same information.

X-XSS-Protection: 1; mode=block

The filtering (filtering out XSS attacks) is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected.

这篇关于Spring security 中的 Xss 保护是否默认启用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！