To prevent XSS attacks in our form transactions:
- Let's create a new security model that enables header filtering or sanitation, which is inherent to the Spring Security 4.2.2 framework:
@Configuration
@EnableWebSecurity
public class AppSecurityModelI extends
WebSecurityConfigurerAdapter{
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// refer to sources
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// refer to sources
http.csrf().disable();
http.headers().defaultsDisabled().cacheControl()
.and().headers().httpStrictTransportSecurity()
.and().contentTypeOptions().disable()
.frameOptions().deny()
.and().addHeaderWriter(
new StaticHeadersWriter(
"X-Content-Security-Policy",
"default-src 'auth'"));
}
@Override
public void configure(WebSecurity web) throws Exception {
// refer to sources
}
}
- Save all files. clean, compile, and deploy the ch04 project.