Add XSS protection example

rashidi · rashidi · commit 43dca3c4ad33 · 2025-05-25T12:30:11.000+08:00
diff --git a/web-thymeleaf-xss/.gitattributes b/web-thymeleaf-xss/.gitattributes
@@ -0,0 +1,3 @@
+/gradlew text eol=lf
+*.bat text eol=crlf
+*.jar binary
diff --git a/web-thymeleaf-xss/.gitignore b/web-thymeleaf-xss/.gitignore
@@ -0,0 +1,37 @@
+HELP.md
+.gradle
+build/
+!gradle/wrapper/gradle-wrapper.jar
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+bin/
+!**/src/main/**/bin/
+!**/src/test/**/bin/
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+out/
+!**/src/main/**/out/
+!**/src/test/**/out/
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+### VS Code ###
+.vscode/
diff --git a/web-thymeleaf-xss/build.gradle.kts b/web-thymeleaf-xss/build.gradle.kts
@@ -0,0 +1,32 @@
+plugins {
+    java
+    id("org.springframework.boot") version "3.4.5"
+    id("io.spring.dependency-management") version "1.1.7"
+}
+
+group = "zin.rashidi"
+version = "0.0.1-SNAPSHOT"
+
+java {
+    toolchain {
+        languageVersion = JavaLanguageVersion.of(21)
+    }
+}
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    implementation("org.springframework.boot:spring-boot-starter-security")
+    implementation("org.springframework.boot:spring-boot-starter-thymeleaf")
+    implementation("org.springframework.boot:spring-boot-starter-web")
+    implementation("org.thymeleaf.extras:thymeleaf-extras-springsecurity6")
+    testImplementation("org.springframework.boot:spring-boot-starter-test")
+    testImplementation("org.springframework.security:spring-security-test")
+    testRuntimeOnly("org.junit.platform:junit-platform-launcher")
+}
+
+tasks.withType<Test> {
+    useJUnitPlatform()
+}
diff --git a/web-thymeleaf-xss/settings.gradle.kts b/web-thymeleaf-xss/settings.gradle.kts
@@ -0,0 +1 @@
+rootProject.name = "web-thymeleaf-xss"
diff --git a/web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/WebThymeleafXssApplication.java b/web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/WebThymeleafXssApplication.java
@@ -0,0 +1,13 @@
+package zin.rashidi.web.xss;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class WebThymeleafXssApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(WebThymeleafXssApplication.class, args);
+    }
+
+}
diff --git a/web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/greet/GreetResource.java b/web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/greet/GreetResource.java
@@ -0,0 +1,21 @@
+package zin.rashidi.web.xss.greet;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+
+/**
+ * @author Rashidi Zin
+ */
+@Controller
+class GreetResource {
+
+    @GetMapping("/greet")
+    public String greet(@RequestParam String name, Model model) {
+        model.addAttribute("name", name);
+
+        return "greet";
+    }
+
+}
diff --git a/web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/security/SecurityConfiguration.java b/web-thymeleaf-xss/src/main/java/zin/rashidi/web/xss/security/SecurityConfiguration.java
@@ -0,0 +1,28 @@
+package zin.rashidi.web.xss.security;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+import static org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK;
+
+/**
+ * @author Rashidi Zin
+ */
+@Configuration
+@EnableWebSecurity
+class SecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        return http
+                .headers(headers -> headers
+                        .contentSecurityPolicy(policy -> policy.policyDirectives("default-src 'self'"))
+                        .xssProtection(xss -> xss.headerValue(ENABLED_MODE_BLOCK))
+                )
+                .build();
+    }
+
+}
diff --git a/web-thymeleaf-xss/src/main/resources/application.properties b/web-thymeleaf-xss/src/main/resources/application.properties
@@ -0,0 +1 @@
+spring.application.name=web-thymeleaf-xss
diff --git a/web-thymeleaf-xss/src/main/resources/templates/greet.html b/web-thymeleaf-xss/src/main/resources/templates/greet.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <title>Greeting</title>
+</head>
+<body>
+   <p th:id="greet" th:text="|Hello, ${name}!|" />
+</body>
+</html>
diff --git a/web-thymeleaf-xss/src/test/java/zin/rashidi/web/xss/WebThymeleafXssApplicationTests.java b/web-thymeleaf-xss/src/test/java/zin/rashidi/web/xss/WebThymeleafXssApplicationTests.java
@@ -0,0 +1,13 @@
+package zin.rashidi.web.xss;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class WebThymeleafXssApplicationTests {
+
+    @Test
+    void contextLoads() {
+    }
+
+}
diff --git a/web-thymeleaf-xss/src/test/java/zin/rashidi/web/xss/greet/GreetResourceTests.java b/web-thymeleaf-xss/src/test/java/zin/rashidi/web/xss/greet/GreetResourceTests.java
@@ -0,0 +1,35 @@
+package zin.rashidi.web.xss.greet;
+
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.servlet.assertj.MockMvcTester;
+
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * @author Rashidi Zin
+ */
+@SpringBootTest(webEnvironment = RANDOM_PORT)
+@AutoConfigureMockMvc
+class GreetResourceTests {
+
+    @Autowired
+    private MockMvcTester mvc;
+
+    @Test
+    @DisplayName("Given XSS protection is enabled Then response header should contain information about X-XSS-Protection and Content-Security-Policy")
+    void headers() {
+        mvc.get()
+                .uri("/greet?name={name}", "rashidi")
+            .assertThat()
+                .matches(status().isOk())
+                .matches(header().string("Content-Security-Policy", "default-src 'self'"))
+                .matches(header().string("X-XSS-Protection", "1; mode=block"));
+    }
+
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+/gradlew text eol=lf`
	`2`	`+*.bat text eol=crlf`
	`3`	`+*.jar binary`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+spring.application.name=web-thymeleaf-xss`