Kingdom: Security Features
Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
Spring Security Misconfiguration: Disabled Security Headers
Abstract
Spring Security default security headers are disabled.
Explanation
Spring Security sets default security headers to help protect the application. The default security headers injected by Spring Security are:
These are reasonable headers that help protect the application. Do not disable these headers unless they are replaced by more restrictive values.
Example 1: The following code disables Spring Security default headers:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
These are reasonable headers that help protect the application. Do not disable these headers unless they are replaced by more restrictive values.
Example 1: The following code disables Spring Security default headers:
<http auto-config="true">
...
<headers disabled="true"/>
...
</http>
References
[1] Standards Mapping - FIPS200 CM
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[7] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[8] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.1 - Web Software Attack Mitigation
[16] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.config.java.spring_security_misconfiguration_disabled_security_headers