问题
I want to enable Spring Security XSS protection in my application.
1) Read docs and blogs, and https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ indicates XSS is there by default
2) And http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html indicates it is not there by default
3) If I use http.headers().xssProtection() in my configure method in an class extending WebSecurityConfigurerAdapter: does that disable all the other default headers?
回答1:
The defaults wouldn't be disabled until you specifically include the below code to disable the default.
http.headers().defaultsDisabled()
Reg point 1 and 2, my understanding is both blog and doc have the same information.
X-XSS-Protection: 1; mode=block
The filtering (filtering out XSS attacks) is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected.
来源:https://stackoverflow.com/questions/37606227/is-xss-protection-in-spring-security-enabled-by-default