Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:


1. Overview

When building a Spring web application, it’s important to focus on security. Cross-site scripting (XSS) is one of the most critical attacks on web security.

Preventing the XSS attack is a challenge in a Spring application. Spring provides built-in help for complete protection.

In this tutorial, we’ll use the available Spring Security features.

2. What Is a Cross-Site Scripting (XSS) Attack?

2.1. Definition of the Problem

XSS is a common type of injection attack. In XSS, the attacker tries to execute malicious code in a web application. They interact with it through a web browser or HTTP client tools like Postman.

There are two types of XSS attacks:

  • Reflected or Nonpersistent XSS
  • Stored or Persistent XSS

In Reflected or Nonpersistent XSS, untrusted user data is submitted to a web application, which is immediately returned in the response, adding untrustworthy content to the page. The web browser assumes the code came from the web server and executes it. This might allow a hacker to send you a link that, when followed, causes your browser to retrieve your private data from a site you use and then make your browser forward it to the hacker’s server.

In Stored or Persistent XSS, the attacker’s input is stored by the webserver. Subsequently, any future visitors may execute that malicious code.

2.2. Defending Against the Attack

The main strategy for preventing XSS attacks is to clean user input.

In a Spring web application, the user’s input is an HTTP request. To prevent the attack, we should check the HTTP request’s content and remove anything that might be executable by the server or in the browser.

For a regular web application, accessed through a web browser, we can use Spring Security‘s built-in features (Reflected XSS).

3. Making an Application XSS Safe with Spring Security

Spring Security provides several security headers by default. It includes the X-XSS-Protection header. X-XSS-Protection tells the browser to block what looks like XSS. Spring Security can automatically add this security header to the response. To activate this, we configure the XSS support in the Spring Security configuration class.

Using this feature, the browser does not render when it detects an XSS attempt. However, some web browsers haven’t implemented the XSS auditor. In this case, they don’t make use of the X-XSS-Protection header. To overcome this issue, we can also use the Content Security Policy (CSP) feature.

The CSP is an added layer of security that helps mitigate XSS and data injection attacks. To enable it, we need to configure our application to return a Content-Security-Policy header by providing a SecurityFilterChain bean:

public class SecurityConf {

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.headers(headers ->
                        xss -> xss.headerValue(XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK)
                        cps -> cps.policyDirectives("script-src 'self'")

4. Conclusion

In this article, we saw how to prevent XSS attacks by using Spring Security’s xssProtection feature.

As always, the source code can be found over on GitHub.

Course – LSS (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:


res – Security (video) (cat=Security/Spring Security)
Inline Feedbacks
View all comments