Hi, Note that Struts 7 has a built-in CSP header interceptor that also has support for cryptographic nonces in JavaScript tags. They may have interceptors for these other missing headers as well, but I’m not sure. More information can be found in the documentation.
Regards, Nate From: Shivam Agrahari <[email protected]> Sent: Wednesday, 16 April 2025 13:36 To: Struts Users Mailing List <[email protected]> Subject: Re: Request for Assistance with OWASP ZAP Vulnerabilities in Struts-Based Java Web Application Hi, The application is currently showing the following security vulnerabilities: Content security Policy (CSP) Header not set (3 instances)- GET: http://localhost:8080/favicon.ico GET: http://localhost:8080/favicon.test GET: http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/> Missing Anti-clickjacking Header (2 instances)- GET: http://localhost:8080/favicon.test GET: http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/> Cookie without SameSite Attribute (2 instances) GET: http://localhost:8080/favicon.test GET: http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/> X-Content-Type-Options Header Missing (2 instances) GET: http://localhost:8080/favicon.test GET: http://localhost:8080/favicon.test\<http://localhost:8080/favicon.test/> I’ve made efforts to address these vulnerabilities and have shared the relevant code snippet below for your reference. The code is intended to mitigate CSRF and other related issues: @Override public String intercept(ActionInvocation ai) throws Exception { final ActionContext ac = ai.getInvocationContext(); HttpServletResponse myresponse = ac.getServletResponse(); HttpSession session = org.apache.struts2.ServletActionContext.getRequest().getSession(); final String jsessionid = session.getId(); String cookieValue = "JSESSIONID=" + jsessionid + "; Path=/test; HttpOnly; SameSite=Strict"; myresponse.setHeader("Set-Cookie", cookieValue); myresponse.setHeader("X-Frame-Options", "SAMEORIGIN"); myresponse.setHeader("X-Content-Type-Options", "nosniff"); myresponse.setHeader("Content-Security-Policy", "default-src 'self'; img-src 'self'; frame-src 'self'; connect-src 'self'; frame-ancestors 'self'; font-src 'self'; base-uri 'self'; form-action 'self'; 'unsafe-inline' 'unsafe-eval' prefetch-src 'none'; manifest-src 'none'; object-src 'self'; media-src 'none'; "); String resultString = ai.invoke(); System.out.println("before result"); return resultString; } Pls suggest necessary improvements. Regards, Shivam [Image removed by sender.] test.war<https://drive.google.com/open?id=1ChtdOQKVdehi27j0Q-xth0w_9H7qD3wg> On Wed, Apr 16, 2025 at 4:17 PM Lukasz Lenart <[email protected]<mailto:[email protected]>> wrote: śr., 16 kwi 2025 o 07:30 Shivam Agrahari <[email protected]<mailto:[email protected]>> napisał(a): > Could you please advise on how to resolve these issues? For your reference, I > have attached the WAR file of the test project along with a few relevant > pages. The best option is to read through OWASP recommendations PDFs and apply them one by one Cheers Łukasz --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected]<mailto:[email protected]> For additional commands, e-mail: [email protected]<mailto:[email protected]>
