For the first time I added spring-boot-starter-security starter to my spring boot application to prevent Cross-Site Scripting (XSS) Attack, I referred this (https://www.baeldung.com/spring-prevent-xss) link. But as per this (https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter) link websecurityconfigureradapter is deprecated. I am unable to find the alternative, please suggest.
CodePudding user response:
You can use security filter chain like this :
@Configuration
@EnableWebSecurity
public class YourAppSecurityConfiguration{
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.headers()
.xssProtection()
.and()
.contentSecurityPolicy("script-src 'self'");
return http.build();
}
CodePudding user response:
you can try like this if you don't want to extend deprecated websecurityconfigureradapter you can use SecurityFilterChain and then apply your xss implementation
@Configuration
@EnableWebSecurity
public class BlogAppSecurityConfig{
@Autowired
private UserDetailsService userDetailsService;
@Bean
public AuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider provider =new DaoAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(new BCryptPasswordEncoder());
return provider;
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http
.headers()
.xssProtection()
.and()
.contentSecurityPolicy("script-src 'self'");
return http.build();
}