To prevent XSS attacks in our form transactions:
- Let's create a new security model that enables header filtering or sanitation, which is inherent to the Spring Security 4.2.2 framework:
@Configuration @EnableWebSecurity public class AppSecurityModelI extends WebSecurityConfigurerAdapter{ @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // refer to sources } @Override protected void configure(HttpSecurity http) throws Exception { // refer to sources http.csrf().disable(); http.headers().defaultsDisabled().cacheControl() .and().headers().httpStrictTransportSecurity() .and().contentTypeOptions().disable() .frameOptions().deny() .and().addHeaderWriter( new StaticHeadersWriter( "X-Content-Security-Policy", "default-src 'auth'")); } @Override public void configure(WebSecurity web) throws Exception { // refer to sources } }
- Save all files. clean, compile, and deploy the ch04 project.