Basic and mechanical story Authentication / Authorization Story Remember-Me story CSRF story Session management story Method security story CORS story The story of Run-As The story of ACL Test story Talk about cooperation with MVC and Boot
Extra edition What Spring Security can and cannot do
When using Spring Security, the following headers are added to the response by default.
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security
is added only for HTTPS.Cache-Control
, Pragma
, ʻExpires` are all set to prevent the browser from caching.
If a page that cannot be viewed without logging in is cached, a malicious user may be able to see information to be protected by looking at the cache left locally even after logging out.
Therefore, the cache is not allowed in this way.
X-Content-Type-Options: nosniff
Some web browsers try to determine the type of file by looking at the contents of the file instead of Content-Type
.
This seems to be called Content Sniffing.
If this is enabled, there is a risk that the browser will accidentally execute malicious code [^ 1] contained in the file.
[^ 1]: An image file with embedded JavaScript code that establishes XSS
If this header (X-Content-Type-Options: nosniff
) is set in the response, the browser will not automatically determine the file type (IE supports 8 and above).
Strict-Transport-Security This header is set by default only for HTTPS communication.
Suppose you access a site by omitting the protocol and entering only the host name in the URL field of your browser, such as xxx.com/xxxx
.
Normally, the protocol at this URL is complemented by HTTP and the request is executed.
Some sites may redirect you to switch to HTTPS communication when an HTTP request comes in.
However, since the first communication is done by HTTP, [Man-in-the-middle attack](http://www.weblio.jp/content/%E4%B8%AD%E9%96%93%E8%80%85] There is a risk of receiving% E6% 94% BB% E6% 92% 83).
With the Strict-Transport-Security
header, the browser will recognize that" the host must communicate over HTTPS ".
Then, even if you omit the protocol and enter the URL, it will automatically communicate over HTTPS.
However, since this header is a response header, it must communicate over HTTPS at least once. Of course, if you access the first time via HTTP, the communication is vulnerable. (It seems that this is called TOFU (Trust On First Use))
Parameters can be specified in this header, for namespaces and Java Configuration:
namespace
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
...>
...
<sec:http>
...
<sec:headers>
<sec:hsts max-age-seconds="60"
include-subdomains="false" />
</sec:headers>
</sec:http>
...
</beans>
--Add a <headers>
tag under <http>
, and then add a <hsts>
tag under it to control it.
--hsts
= HTTP Strict Transport Security
--max-age-seconds
is max-age
,
--ʻInclude-subdomains sets ʻincludeSubDomains
respectively.
--Refer to the explanation of Strict-Transport-Securty for the meaning of the parameters.
Java Configuration
python
package sample.spring.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import java.util.Collections;
@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
...
.headers()
.httpStrictTransportSecurity()
.maxAgeInSeconds(60)
.includeSubDomains(false);
}
...
}
--You can start setting Strict-Transport-Security
with.headers (). httpStrictTransportSecurity ()
.
X-Frame-Options
If you allow your website to be embedded with <iframe>
, clickjacking (http://www.techscore.com/blog/2015/03/05/%E3%82%) AF% E3% 83% AA% E3% 83% 83% E3% 82% AF% E3% 82% B8% E3% 83% A3% E3% 82% AE% E3% 83% B3% E3% 82% B0% E3% 81% A3% E3% 81% A6% EF% BC% 9F /) Risk of attack.
Although it is in English, Explainer video on Youtube has been uploaded (the video introduced in the Spring Security reference).
In the first half, <iframe>
is made visible for explanation, and in the second half, <iframe>
is completely invisible to explain the attack.
To prevent this, you need to prevent your site from being embedded with <iframe>
.
This can be achieved by adding X-Frame-Options
to the response header.
The default setting of DENY
by Spring Security is to refuse embedding with<iframe>
from all sites.
If you want to allow embedding because the same origin (combination of scheme, host and port) is reliable, set as follows.
namespace
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
...>
...
<sec:http>
...
<sec:headers>
<sec:frame-options policy="SAMEORIGIN" />
</sec:headers>
</sec:http>
...
</beans>
--Set with policy
of the<frame-options>
tag.
Java Configuration
MySpringSecurityConfig.java
package sample.spring.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import java.util.Collections;
@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
...
.headers()
.frameOptions().sameOrigin();
}
...
}
--You can start setting for X-Frame-Options
withframeOptions ()
.
X-XSS-Protection Some web browsers come standard with features to suppress reflective XSS. However, some browsers do nothing to enable the feature.
By including X-XSS-Protection
in the response header, you can enable the browser's ability to suppress reflective XSS.
However, keep in mind that this feature does not completely prevent XSS, but only mitigates the attack (it is not all OK if this is set).
Content-Security-Policy
Content-Security-Policy
is a header intended to mitigate and report XSS attacks.
For example, in the response header
Content-Security-Policy: script-src 'self'
This will allow you to block attempts to load JavaScript sources from anyone other than your own origin. The point is that it is a defensive measure that prevents an attacker from loading and executing an unintended script prepared by an attacker by making it possible to read files etc. only from a reliable origin in advance.
How to write this header itself in detail
--Content Security Policy (CSP) --Web Security | MDN --CSP Policy Directives --Web Security | MDN
See this area.
When using it with Spring Security, write as follows.
namespace
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
...>
<context:component-scan base-package="sample.spring.security" />
<sec:http>
...
<sec:headers>
<sec:content-security-policy policy-directives="script-src 'self'" />
</sec:headers>
</sec:http>
...
</beans>
--Add the <content-security-policy>
tag and define it with the policy-directives
attribute.
Java Configuration
MySpringSecurityConfig.java
package sample.spring.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import java.util.Collections;
@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
...
.headers()
.contentSecurityPolicy("script-src 'self'");
}
...
}
--Define with the contentSecurityPolicy ()
method.
namespace
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
...>
<sec:http>
...
<sec:headers>
<sec:header name="Hoge" value="fuga" />
</sec:headers>
</sec:http>
...
</beans>
--You can set any response header with the <header>
tag.
Java Configuration
MySpringSecurityConfig.java
package sample.spring.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import java.util.Collections;
@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
...
.headers()
.addHeaderWriter(new StaticHeadersWriter("Hoge", "fuga"));
}
...
}
--ʻAddHeaderWriter () pass an instance of
StaticHeadersWriteras an argument. --In the constructor of
StaticHeadersWriter`, the first argument is the header name and the second argument is the header value.
Execution result
If you create a class that implements the HeaderWriter
interface, you can programmatically control the writing of headers.
MyHeaderWriter.java
package sample.spring.security.header;
import org.springframework.security.web.header.HeaderWriter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class MyHeaderWriter implements HeaderWriter {
@Override
public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
response.setHeader("My-Header", "My-Value");
}
}
namespace
applicationContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
...>
<sec:http>
...
<sec:headers>
<sec:header ref="myHeaderWriter" />
</sec:headers>
</sec:http>
<bean id="myHeaderWriter" class="sample.spring.security.header.MyHeaderWriter" />
...
</beans>
--Specify the Bean of HeaderWriter
in the ref
attribute of the <header>
tag.
Java Configuration
python
package sample.spring.security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import sample.spring.security.header.MyHeaderWriter;
import java.util.Collections;
@EnableWebSecurity
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
...
.headers()
.addHeaderWriter(new MyHeaderWriter());
}
...
}
--Set an instance of HeaderWriter
in ʻaddHeaderWriter ()`.
Execution result
-I tried to organize the cache --Qiita -X-XSS-Protection --Security --HTTP Strict Transport Security --Web Security | MDN -IE's MIME Sniffing --Nice memo -MIME processing of IE8 --Nice memo -# 05 Browser Bad Know-how Content Edition: BK Communication ―Bad Knowhow Tsushin― | gihyo.jp… Technical Review Company -X-Content-Type-Options: nosniff I wish the one who didn't use it would die! --Hatena Diary -[What is clickjacking? TECHSCORE BLOG](http://www.techscore.com/blog/2015/03/05/%E3%82%AF%E3%83%AA%E3%83%83%E3%82%AF%E3%82 % B8% E3% 83% A3% E3% 82% AE% E3% 83% B3% E3% 82% B0% E3% 81% A3% E3% 81% A6% EF% BC% 9F /) -Types of "Cross-Site Scripting (XSS)" vulnerabilities --IPA (PDF) -X-XSS-Protection --Security --Same Origin Policy --Web Security | MDN --Content Security Policy (CSP) --Web Security | MDN -[What is referrer | referer: Meaning / Definition-IT Glossary](http://e-words.jp/w/%E3%83%AA%E3%83%95%E3%82%A1%E3% 83% A9.html) -Self-degrading engineer's diary: HPKP (HTTP Public Key Pinning) Thinking about public key pinning --livedoor Blog (blog)
Recommended Posts