OWASP ZAP 실행 시 발생하는 취약점으로, 자세한 내용은 다음과 같습니다.
OWASP ZAP 내용
1) 설명
The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks.
2) 해결
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app. If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
3) 참조
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Spring Security에서 해결방법
SecurityConfig class에 다음 코드를 추가합니다.
http.headers()
.frameOptions()
.sameOrigin()
;
http.headers()
.httpStrictTransportSecurity()
.maxAgeInSeconds(31536000)
.includeSubDomains(true)
.preload(true)
;
출처: https://docs.spring.io/spring-security/site/docs/5.0.x/reference/html/headers.html
21. Security HTTP Response Headers
Spring Security allows users to easily inject the default security headers to assist in protecting their application. The default for Spring Security is to include the following headers: For additional details on each of these headers, refer to the corresp
docs.spring.io
'back end > java' 카테고리의 다른 글
| Java Spring: 애플리케이션 개발의 가장 핫한 프레임워크 (0) | 2023.02.17 |
|---|---|
| [보안취약점] Cross-Domain Misconfiguration (CORS) in Spring Security (0) | 2023.02.15 |
| Spring Security 중복 로그인 방지하는 방법 (0) | 2023.02.14 |
| [java] gradle로 runnable jar 생성하는 방법 (0) | 2023.02.09 |
| [java] mssql(SQLServer)에서 datetime2 자료형 날짜 표시 2일 오차 발생하는 문제 해결방법 (0) | 2023.02.09 |
