界: Security Features
软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。
Spring Security Misconfiguration: Disabled Security Headers
Abstract
Spring Security 默认安全标头已禁用。
Explanation
Spring Security 设置了默认安全标头以协助保护应用程序。Spring Security 注入的默认安全标头为:
这些是可以保护应用程序的合理标头。将这些标头替换为限制等级更高的值之前,切勿将其禁用。
示例 1:以下代码禁用了 Spring Security 默认标头:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
这些是可以保护应用程序的合理标头。将这些标头替换为限制等级更高的值之前,切勿将其禁用。
示例 1:以下代码禁用了 Spring Security 默认标头:
<http auto-config="true">
...
<headers disabled="true"/>
...
</http>
References
[1] Standards Mapping - FIPS200 CM
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[7] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[8] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.1 - Web Software Attack Mitigation
[16] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.config.java.spring_security_misconfiguration_disabled_security_headers