The difference between cross-site scripting attacks and CRSF or session fixation is the presence of an injected third-party JavaScript or malicious script in XSS, whose objective is to sniff form transactions and perform exploits. Clickjacking is another attack which uses X-Frame-Options to inject exploits on a specific part of a page through frames.

Aside from properly escaping or encoding HTML properties, outgoing header variables must be sanitized to avoid XSS and clickjacking attacks. This recipe will highlight how Spring Security 4.2.2 can help shield all the outgoing headers from malicious attacks.