Spring MVC : How to Protect Application from CSRF and XSS

What is the best way to protect our Spring MVC application from CSRF and XSS.

Is there native Spring MVC support for this?

In Spring:

Forms ( globally):

<context-param>
<param-name>defaultHtmlEscape</param-name>
<param-value>true</param-value>
</context-param>

Forms ( locally):

<spring:htmlEscape defaultHtmlEscape="true" />

You can use Spring Security 3.2.0.RELEASE and enable csrf support with this configuration

<http>
    <!-- ... -->
    <csrf />
</http>

Here is a blog about it.

http://blog.eyallupu.com/2012/04/csrf-defense-in-spring-mvc-31.html

another one.

http://web.securityinnovation.com/appsec-weekly/blog/bid/79007/How-to-Prevent-Cross-Site-Request-Forgery-CSRF-in-SpringMVC

For token generation esapi can be used. https://code.google.com/p/owasp-esapi-java/

来源：https://stackoverflow.com/questions/8958928/spring-mvc-how-to-protect-application-from-csrf-and-xss

标签

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!