Adding additonal Security to Website

Question

I am running a Java Spring MVC based Web-Application. It is also based on the Hybris Platform.

Now, the basic functionality in terms of Authentication and Authorization is already implemented. Meaning we do have filters for sessions, a working user-system, etc.

However, we currently have no security measurements against things such as XSS and other kinds of possible attacks that are out there. XSS is probably the biggest concern as it is the most common possible way of attacking.

Now, i wonder ... what steps would be smart to take? I have taken a look around and i have seen that stuff like XSS-Filter exist. Implementing such would be pretty easy, just copy past the source and add it as a in tomcats web.xml.

But i wonder if that is a satisfying amount of security from such filter?

There are also way more bloated solutions, for example i could use the spring-security. However, reading the documentations, i feel like this is very bloated and a large part of it implements what is already implemented ( the two A's, for example). I feel like it would take a lot of work to configure it down to the amount of work that i need it to do. Am i wrong?

And:

How would you say is it recommended to deal with security issues, for example XSS? Do you use a certain predefined framework that suits the needs or is your security "hand-made" by following things like the cheat sheet?

Answer 1

1. Set Anti-XSS Headers (hint: use Spring Security or make your own Interceptor)

   Content-Security-Policy: default-src 'self'   --only allow content from your own site
   
   X-XSS-Protection: 1; mode=block   --prevent some reflective attacks in some browsers
   
   X-Content-Type-Options: nosniff   --can't trick browser into detecting and running js in other content types
   

2. Prevent malicious inbound HTML/JS/CSS

   Use Hibernate Validator (you don't need to use Hibernate ORM to use this) with the @SafeHtml annotation on all user-supplied String fields.

   You could validate all request headers, post params and query params in one Interceptor for simplistic XSS validation.

3. Escape all user-supplied data on output

   Use OWASP's Java Encoder Project <e:forHtml value="${attr}" /> to escape output or JSTL's <c:out value="${attr}"/> and in web.xml set

   <context-param>
       <param-name>defaultHtmlEscape</param-name>
       <param-value>true</param-value>
   </context-param>
   

   They are equally safe if escaping HTML node text, but OWASP is safer for HTML attribute or <script> escaping.

   If you have too many files to edit, consider http://pukkaone.github.io/2011/01/03/jsp-cross-site-scripting-elresolver.html

4. Make your session cookie unreadable by JavaScript. In web.xml:

   <session-config>
       <cookie-config>
           <!-- browser will disallow JavaScript access to session cookie -->
           <http-only>true</http-only>
       </cookie-config>
       <tracking-mode>COOKIE</tracking-mode>
   </session-config>
   

5. If you are hosting user-uploaded files, you need to use a different domain (not subdomain) for download links, so that evil content cannot clobber your session cookie (yes, this can happen even if it's httpOnly)