spring-mvc - 如何使用spring security防止xss和xframe攻击

Question

我看spring web site并想防止我的网站表单 xss 和 xframe 攻击

但是我的英语不够好，无法弄清楚要设置什么

请指导我还应该设置什么？？

我只是添加一个 WebSecurityConfig.java下 src/com/test/web/security
这是我的代码:

package com.test.web.security;

import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
@ComponentScan
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
 http
   // ...
   .headers();
}
}

Answer 1

如果您只指定与上面相同的代码，Spring Security 应该自动添加所有相关的安全 header 。根据文档:

If you are using Spring Security’s Java configuration, all of the default security headers are added by default.

还:

As soon as you specify any headers that should be included, then only those headers will be include

请参阅本节中的详细信息和代码示例:

http://docs.spring.io/spring-security/site/docs/3.2.0.RELEASE/reference/htmlsingle/#default-security-headers