Search
Search

Spring Security Headers included, still getting 'Header Not Set' vulnerability warning

Aki T Published at Dev
20
Aki T

I want to get rid of Header related vulnerability warnings. (Missing X-Frame Header, Missing Content Type Header)

I went through the Spring doc and made the required changes. But still getting those warnings (I'm using Owasap Zap security tool to validate vulnerability warnings)

Security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security.xsd">

    <security:http create-session="never"  entry-point-ref="http403EntryPoint" >
    
        <security:headers>
            <security:content-type-options/>
            <security:frame-options/>    
        </security:headers>

    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="_" password="_" authorities="_" />
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
    </bean>

</beans>

I've added the required dependencies in the pom file.

<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-web</artifactId>
   <version 4.1.0.RELEASE</version>
</dependency>

<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-config</artifactId>
   <version 4.1.0.RELEASE</version>
</dependency>
Aki T

I was missing the required servlet filter in the web.xml

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <async-supported>true</async-supported>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

This filter invokes a Spring bean (springSecurityFilterChain) which is an internal infrastructure bean created by the namespace to handle web security.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Spring Boot 2.0.3 Oauth2 Security: Getting 401 error even when using access token in header

Getting "Set-Cookie" header

Unable to fix a vulnerability on spring-security-oauth2-resource-server

How to inject default security headers with Spring Security

CORS Headers don't get set when calling spring security /login

CORS Policy won't work, because all response headers are set, but still getting this error

Spring Security antMatcher rule based on custom headers

Spring Security get custom headers

Spring security + session : Receive "Set-Cookie" header but not set in browser

Spring Security ignore path filter still executed when Authorization header present

pandas header does exist but still getting KeyError

Spring Cloud Security with Token Relay: Response has empty set cookie header

Does C++ include all headers a included header file includes?

CMake: set warning flags for my project, but not included headers

PHP error: Warning: Cannot modify header information - headers already sent by

Warning: Cannot modify header information - headers already sent by (output started at

How to secure an included page with Spring security

Why am I getting Warning: Cannot modify header information - headers already sent by (output started at ...)?

Adding Security Headers in response of spring MVC Application

Warning: Can't modify header information - headers already sent

Adding a custom header to existing headers using Spring Security?

<Spring Security> Access token not included in header when client calls resource server

TSQL: Given a set of IDs, obtain all headers such that the set is included in the header's children

Keep getting the 'cannot set headers' with Axios on Firebase Functions which still fully executes regardless of the error

Avoid __TypeId__ and spring_json_header_types magic headers set by Spring Kafka

Headers configuration in Spring Security 6 for automated testing

Spring security StrictHttpFirewall isn't validating the headers

Tried async await and return statements but still getting Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client

Set-cookie header is missing from Spring Security authentication response

TOP Ranking

  1. 1

    pump.io port in URL

  2. 2

    Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

  3. 3

    Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

  4. 4

    How to import an asset in swift using Bundle.main.path() in a react-native native module

  5. 5

    Failed to listen on localhost:8000 (reason: Cannot assign requested address)

  6. 6

    Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

  7. 7

    ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

  8. 8

    Using Response.Redirect with Friendly URLS in ASP.NET

  9. 9

    Can a 32-bit antivirus program protect you from 64-bit threats

  10. 10

    Double spacing in rmarkdown pdf

  11. 11

    How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

  12. 12

    3D Touch Peek Swipe Like Mail

  13. 13

    Bootstrap 5 Static Modal Still Closes when I Click Outside

  14. 14

    Assembly definition can't resolve namespaces from external packages

  15. 15

    Vector input in shiny R and then use it

  16. 16

    Emulator wrong screen resolution in Android Studio 1.3

  17. 17

    Svchost high CPU from Microsoft.BingWeather app errors

  18. 18

    Graphics Context misaligned on first paint

  19. 19

    Python connect to firebird docker database

  20. 20

    Is this docker-for-mac password dialog legit?

  21. 21

    How to save models trained locally in Amazon SageMaker?

HotTag

Archive