[JAVA] Spring Security usage memo response header

Basic and mechanical story Authentication / Authorization Story Remember-Me story CSRF story Session management story Method security story CORS story The story of Run-As The story of ACL Test story Talk about cooperation with MVC and Boot

Extra edition What Spring Security can and cannot do

Header set by default

When using Spring Security, the following headers are added to the response by default.

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

Cache header

Cache-Control, Pragma, ʻExpires` are all set to prevent the browser from caching.

If a page that cannot be viewed without logging in is cached, a malicious user may be able to see information to be protected by looking at the cache left locally even after logging out.

Therefore, the cache is not allowed in this way.

X-Content-Type-Options: nosniff Some web browsers try to determine the type of file by looking at the contents of the file instead of Content-Type. This seems to be called Content Sniffing.

If this is enabled, there is a risk that the browser will accidentally execute malicious code [^ 1] contained in the file.

[^ 1]: An image file with embedded JavaScript code that establishes XSS

If this header (X-Content-Type-Options: nosniff) is set in the response, the browser will not automatically determine the file type (IE supports 8 and above).

Strict-Transport-Security This header is set by default only for HTTPS communication.

Suppose you access a site by omitting the protocol and entering only the host name in the URL field of your browser, such as xxx.com/xxxx. Normally, the protocol at this URL is complemented by HTTP and the request is executed.

Some sites may redirect you to switch to HTTPS communication when an HTTP request comes in.

However, since the first communication is done by HTTP, [Man-in-the-middle attack](http://www.weblio.jp/content/%E4%B8%AD%E9%96%93%E8%80%85] There is a risk of receiving% E6% 94% BB% E6% 92% 83).

With the Strict-Transport-Security header, the browser will recognize that" the host must communicate over HTTPS ". Then, even if you omit the protocol and enter the URL, it will automatically communicate over HTTPS.

However, since this header is a response header, it must communicate over HTTPS at least once. Of course, if you access the first time via HTTP, the communication is vulnerable. (It seems that this is called TOFU (Trust On First Use))

Parameters can be specified in this header, for namespaces and Java Configuration:

namespace

applicationContext.xml


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       ...>
    
    ...
    
    <sec:http>
        ...
        <sec:headers>
            <sec:hsts max-age-seconds="60"
                      include-subdomains="false" />
        </sec:headers>
    </sec:http>
    
    ...
</beans>

--Add a <headers> tag under <http>, and then add a <hsts> tag under it to control it. --hsts = HTTP Strict Transport Security --max-age-seconds is max-age, --ʻInclude-subdomains sets ʻincludeSubDomains respectively. --Refer to the explanation of Strict-Transport-Securty for the meaning of the parameters.

Java Configuration

python


package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import java.util.Collections;

@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                ...
                .headers()
                    .httpStrictTransportSecurity()
                    .maxAgeInSeconds(60)
                    .includeSubDomains(false);
    }
    
    ...
}

--You can start setting Strict-Transport-Security with.headers (). httpStrictTransportSecurity ().

X-Frame-Options If you allow your website to be embedded with <iframe>, clickjacking (http://www.techscore.com/blog/2015/03/05/%E3%82%) AF% E3% 83% AA% E3% 83% 83% E3% 82% AF% E3% 82% B8% E3% 83% A3% E3% 82% AE% E3% 83% B3% E3% 82% B0% E3% 81% A3% E3% 81% A6% EF% BC% 9F /) Risk of attack.

Although it is in English, Explainer video on Youtube has been uploaded (the video introduced in the Spring Security reference). In the first half, <iframe> is made visible for explanation, and in the second half, <iframe> is completely invisible to explain the attack.

To prevent this, you need to prevent your site from being embedded with <iframe>. This can be achieved by adding X-Frame-Options to the response header.

The default setting of DENY by Spring Security is to refuse embedding with<iframe>from all sites.

If you want to allow embedding because the same origin (combination of scheme, host and port) is reliable, set as follows.

namespace

applicationContext.xml


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       ...>
    
    ...
    
    <sec:http>
        ...
        <sec:headers>
            <sec:frame-options policy="SAMEORIGIN" />
        </sec:headers>
    </sec:http>
    
    ...
</beans>

--Set with policy of the<frame-options>tag.

Java Configuration

MySpringSecurityConfig.java


package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import java.util.Collections;

@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                ...
                .headers()
                    .frameOptions().sameOrigin();
    }
    
    ...
}

--You can start setting for X-Frame-Options withframeOptions ().

X-XSS-Protection Some web browsers come standard with features to suppress reflective XSS. However, some browsers do nothing to enable the feature.

By including X-XSS-Protection in the response header, you can enable the browser's ability to suppress reflective XSS.

However, keep in mind that this feature does not completely prevent XSS, but only mitigates the attack (it is not all OK if this is set).

Header not set by default

Content-Security-Policy Content-Security-Policy is a header intended to mitigate and report XSS attacks.

For example, in the response header

Content-Security-Policy: script-src 'self'

This will allow you to block attempts to load JavaScript sources from anyone other than your own origin. The point is that it is a defensive measure that prevents an attacker from loading and executing an unintended script prepared by an attacker by making it possible to read files etc. only from a reliable origin in advance.

How to write this header itself in detail

--Content Security Policy (CSP) --Web Security | MDN --CSP Policy Directives --Web Security | MDN

See this area.

When using it with Spring Security, write as follows.

namespace

applicationContext.xml


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       ...>
    
    <context:component-scan base-package="sample.spring.security" />
    
    <sec:http>
        ...
        <sec:headers>
            <sec:content-security-policy policy-directives="script-src 'self'" />
        </sec:headers>
    </sec:http>
    
    ...
</beans>

--Add the <content-security-policy> tag and define it with the policy-directives attribute.

Java Configuration

MySpringSecurityConfig.java


package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import java.util.Collections;

@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                ...
                .headers()
                    .contentSecurityPolicy("script-src 'self'");
    }
    
    ...
}

--Define with the contentSecurityPolicy () method.

Export any header

Specify the header fixedly

namespace

applicationContext.xml


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       ...>
    
    <sec:http>
        ...
        <sec:headers>
            <sec:header name="Hoge" value="fuga" />
        </sec:headers>
    </sec:http>
    
    ...
</beans>

--You can set any response header with the <header> tag.

Java Configuration

MySpringSecurityConfig.java


package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;

import java.util.Collections;

@EnableWebSecurity
@ComponentScan
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                ...
                .headers()
                    .addHeaderWriter(new StaticHeadersWriter("Hoge", "fuga"));
    }
    
    ...
}

--ʻAddHeaderWriter () pass an instance of StaticHeadersWriteras an argument. --In the constructor ofStaticHeadersWriter`, the first argument is the header name and the second argument is the header value.

Execution result

spring-security.jpg

Specify HeaderWriter

If you create a class that implements the HeaderWriter interface, you can programmatically control the writing of headers.

MyHeaderWriter.java


package sample.spring.security.header;

import org.springframework.security.web.header.HeaderWriter;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class MyHeaderWriter implements HeaderWriter {
    
    @Override
    public void writeHeaders(HttpServletRequest request, HttpServletResponse response) {
        response.setHeader("My-Header", "My-Value");
    }
}

namespace

applicationContext.xml


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       ...>
    
    <sec:http>
        ...
        <sec:headers>
            <sec:header ref="myHeaderWriter" />
        </sec:headers>
    </sec:http>
    
    <bean id="myHeaderWriter" class="sample.spring.security.header.MyHeaderWriter" />
    
    ...
</beans>

--Specify the Bean of HeaderWriter in the ref attribute of the <header> tag.

Java Configuration

python


package sample.spring.security;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import sample.spring.security.header.MyHeaderWriter;

import java.util.Collections;

@EnableWebSecurity
public class MySpringSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                ...
                .headers()
                    .addHeaderWriter(new MyHeaderWriter());
    }
    
    ...
}

--Set an instance of HeaderWriter in ʻaddHeaderWriter ()`.

Execution result

spring-security.jpg

reference

-I tried to organize the cache --Qiita -X-XSS-Protection --Security --HTTP Strict Transport Security --Web Security | MDN -IE's MIME Sniffing --Nice memo -MIME processing of IE8 --Nice memo -# 05 Browser Bad Know-how Content Edition: BK Communication ―Bad Knowhow Tsushin― | gihyo.jp… Technical Review Company -X-Content-Type-Options: nosniff I wish the one who didn't use it would die! --Hatena Diary -[What is clickjacking? TECHSCORE BLOG](http://www.techscore.com/blog/2015/03/05/%E3%82%AF%E3%83%AA%E3%83%83%E3%82%AF%E3%82 % B8% E3% 83% A3% E3% 82% AE% E3% 83% B3% E3% 82% B0% E3% 81% A3% E3% 81% A6% EF% BC% 9F /) -Types of "Cross-Site Scripting (XSS)" vulnerabilities --IPA (PDF) -X-XSS-Protection --Security --Same Origin Policy --Web Security | MDN --Content Security Policy (CSP) --Web Security | MDN -[What is referrer | referer: Meaning / Definition-IT Glossary](http://e-words.jp/w/%E3%83%AA%E3%83%95%E3%82%A1%E3% 83% A9.html) -Self-degrading engineer's diary: HPKP (HTTP Public Key Pinning) Thinking about public key pinning --livedoor Blog (blog)

Recommended Posts

Spring Security usage memo response header
Spring Security usage memo CSRF
Spring Security usage memo Run-As
Spring Security Usage memo Method security
Spring Security usage memo Remember-Me
Spring Security usage memo CORS
Spring Security usage memo test
Spring Security usage memo session management
Spring Security usage memo Basic / mechanism
Spring Security Usage Memo Domain Object Security (ACL)
Spring Security usage memo: Cooperation with Spring MVC and Boot
Response header may not be output correctly in Spring Security 4.1
Spring retrospective memo
JavaParser usage memo
WatchService usage memo
PlantUML usage memo
JUnit5 usage memo
About Spring Security authentication
Spring Security causes 403 forbidden
Spring boot memo writing (2)
[Personal memo] About Spring framework
JJUG CCC 2018 Spring participation memo
Spring Framework self-study memo series_1
Login function with Spring Security
[Spring Security] Spring Security on GAE (SE)
Dependency Management Plugin Usage memo
Try using Spring Boot Security
Spring boot controller method memo