For the first time I added spring-boot-starter-security starter to my spring boot application to prevent Cross-Site Scripting (XSS) Attack, I referred this (https://www.baeldung.com/spring-prevent-xss) link. But as per this (https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter) link websecurityconfigureradapter is deprecated. I am unable to find the alternative, please suggest.

CodePudding user response：

You can use security filter chain like this :

@Configuration
@EnableWebSecurity
public class YourAppSecurityConfiguration{


    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .headers()
      .xssProtection()
      .and()
      .contentSecurityPolicy("script-src 'self'");          
    return http.build();
    }
    

CodePudding user response：

you can try like this if you don't want to extend deprecated websecurityconfigureradapter you can use SecurityFilterChain and then apply your xss implementation

@Configuration
@EnableWebSecurity
public class BlogAppSecurityConfig{

    @Autowired
    private UserDetailsService userDetailsService;
    
    @Bean
    public AuthenticationProvider authenticationProvider() {
        DaoAuthenticationProvider provider =new DaoAuthenticationProvider();
        provider.setUserDetailsService(userDetailsService);
        provider.setPasswordEncoder(new BCryptPasswordEncoder());
        return provider;
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http
        .headers()
          .xssProtection()
          .and()
          .contentSecurityPolicy("script-src 'self'");
    return http.build();
    }