Is Xss protection in Spring security enabled by default?
The defaults wouldn't be disabled until you specifically include the below code to disable the default.
http.headers().defaultsDisabled()
Reg point 1 and 2, my understanding is both blog and doc have the same information.
X-XSS-Protection: 1; mode=block
The filtering (filtering out XSS attacks) is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected.
Admin
Updated on June 19, 2022Comments
-
Admin almost 2 years
I want to enable Spring Security XSS protection in my application.
1) Read docs and blogs, and https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ indicates XSS is there by default
2) And http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html indicates it is not there by default
3) If I use
http.headers().xssProtection()
in my configure method in an class extendingWebSecurityConfigurerAdapter
: does that disable all the other default headers?