Skills
skills/developerscoffee/java-cwe-security-skills/cwe-693-missing-security-headers

cwe-693-missing-security-headers

SKILL.md

CWE-693 Missing Security Headers (Clickjacking)

Description

Missing Security Headers (Clickjacking)

Reference: https://cwe.mitre.org/data/definitions/693.html

OWASP Category: A05:2021 – Security Misconfiguration

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: No security headers configured
@RestController
public class ApiController {
    @GetMapping("/data")
    public ResponseEntity<Data> getData() {
        return ResponseEntity.ok(data);  // No security headers!
    }
}

Why it's vulnerable: This pattern is vulnerable to Missing Security Headers (Clickjacking)

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Add security headers via filter
@Component
public class SecurityHeadersFilter implements Filter {
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;

        // Prevent clickjacking
        response.setHeader("X-Frame-Options", "DENY");

        // Content Security Policy
        response.setHeader("Content-Security-Policy",
            "default-src 'self'; frame-ancestors 'none'");

        // Prevent MIME sniffing
        response.setHeader("X-Content-Type-Options", "nosniff");

        // XSS Protection (legacy browsers)
        response.setHeader("X-XSS-Protection", "1; mode=block");

        // HSTS (HTTPS only)
        response.setHeader("Strict-Transport-Security",
            "max-age=31536000; includeSubDomains");

        chain.doFilter(req, res);
    }
}

// Or via Spring Security configuration
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers()
            .frameOptions().deny()
            .contentSecurityPolicy("default-src 'self'")
            .and()
            .xssProtection().block(true);
    }
}

Why it's secure: Implements proper protection against Missing Security Headers (Clickjacking)

Detection Pattern

Look for these patterns in your codebase:

# Check for security header configuration
grep -rn "X-Frame-Options\\|frameOptions\\|Content-Security-Policy" --include="*.java"

Remediation Steps

  1. Add X-Frame-Options: DENY to all responses

  2. Implement Content-Security-Policy with frame-ancestors 'none'

  3. Add X-Content-Type-Options: nosniff

  4. Use Spring Security's headers() configuration

Key Imports


import javax.servlet.Filter;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-693 vulnerability
Resolve Missing Security Headers (Clickjacking) issue
Secure this Java code against missing security headers (clickjacking)
SAST reports CWE-693

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Weekly Installs
1
Repository
developerscoffe…y-skills
First Seen
10 days ago
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
mcpjam1
claude-code1
replit1
junie1
windsurf1
zencoder1