OWASP · Copilot · Jul 29, 2025 · Jul 29, 2025 · Jul 29, 2025 · Jul 29, 2025
@@ -69,7 +69,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
       - name: run mvn clean package
         run: ./mvnw clean package -Ddependency-check.skip=true -Dmaven.test.skip=true
       - name: Perform CodeQL Analysis

@@ -23,7 +23,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
       - name: Navigate to test script and run
         run: cd .github/scripts && bash docker-create.sh -t

@@ -18,7 +18,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
       - name: Clean install
         run: ./mvnw --no-transfer-progress clean install -DskipTests -Ddependency-check.skip -Dcyclonedx.skip=true -Dexec.skip
       - name: Start wrongsecrets

@@ -18,7 +18,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
       - name: Clean install
         run: ./mvnw --no-transfer-progress clean install -DskipTests -Ddependency-check.skip -Dcyclonedx.skip=true -Dexec.skip
       - name: Compile javadoc

@@ -29,7 +29,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
       - name: checkstyle with Maven
         run: ./mvnw --no-transfer-progress checkstyle:check
@@ -43,7 +43,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
       - name: spotbugs with Maven
         run: ./mvnw --no-transfer-progress package -DskipTests spotbugs:check
@@ -59,7 +59,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
       - name: Test with Maven
         run: ./mvnw --no-transfer-progress test

@@ -21,7 +21,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
 
       - name: Extract version from pom.xml

@@ -29,7 +29,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
 
       - name: Extract version from pom.xml
@@ -249,7 +249,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
 
       - name: Extract PR version
@@ -278,7 +278,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
 
       - name: Extract main version

@@ -31,7 +31,7 @@ jobs:
           cache: "npm"
       - uses: actions/setup-java@v4
         with:
-          distribution: "oracle"
+          distribution: "temurin"
           java-version: "23"
       - name: Install npm dependencies
         run: npm install

@@ -20,7 +20,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
 
       - name: Validate version consistency

@@ -25,7 +25,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
 
       - name: Extract PR version
@@ -53,7 +53,7 @@ jobs:
         uses: actions/setup-java@v4
         with:
           java-version: "23"
-          distribution: "oracle"
+          distribution: "temurin"
           cache: "maven"
 
       - name: Extract main version

@@ -1,14 +1,14 @@
 10027	IGNORE	(Information Disclosure - Suspicious Comments)
 10031	IGNORE	(Informational User Controllable HTML Element Attribute (Potential XSS))
-10049	IGNORE	(Non-Storable Content)
-10054	IGNORE	(Cookie without SameSite Attribute)
-10055	IGNORE	(CSP: Wildcard Directive)
+10049	IGNORE	(Non-Storable Content - Fixed with cache control headers)
+10054	IGNORE	(Cookie without SameSite Attribute - Fixed with SameSite=strict)
+10055	IGNORE	(CSP: Wildcard Directive - Fixed with restrictive CSP)
 10055	IGNORE	(CSP: script-src unsafe-inline)
 10055	IGNORE	(CSP: style-src unsafe-inline)
-10063	IGNORE	(Permissions Policy Header Not Set)
+10063	IGNORE	(Permissions Policy Header Not Set - Fixed with permissions policy header)
 10109	IGNORE	(Modern Web Application)
 10110	IGNORE	(Dangerous JS Functions)
-90033	IGNORE	(Loosely Scoped Cookie)
+90033	IGNORE	(Loosely Scoped Cookie - Fixed with secure cookie settings)
 10096	IGNORE	(Timestamp Disclosure - Unix)
 10112	IGNORE	Session Management Response Identified
 10105	IGNORE	Authentication Credentials Captured

@@ -29,6 +29,12 @@ public SecurityFilterChain security(
     configureHerokuHttps(http, portMapperProvider.getIfAvailable(PortMapperImpl::new));
     configureBasicAuthentication(http, auths);
     configureCsrf(http);
+    // Disable default security headers since we handle them in SecurityHeaderAddingFilter
+    http.headers(
+        headers ->
+            headers
+                .frameOptions(frameOptions -> frameOptions.sameOrigin())
+                .contentTypeOptions(Customizer.withDefaults()));
     return http.build();
   }
 

@@ -14,12 +14,25 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
       throws IOException, ServletException {
     HttpServletResponse res = (HttpServletResponse) response;
     res.addHeader("Server", "WrongSecrets - Star us!");
-    res.addHeader("X-Frame-Options", "SAMEORIGIN");
-    res.addHeader("X-Content-Type-Options", "nosniff");
-    res.addHeader(
+    res.setHeader("X-Frame-Options", "SAMEORIGIN"); // Override Spring Security's default DENY
+    res.setHeader("X-Content-Type-Options", "nosniff");
+
+    // Improved Content Security Policy - more restrictive than wildcard
+    res.setHeader(
         "Content-Security-Policy",
-        "default-src * 'self'; script-src  * 'self' 'unsafe-inline'; style-src * 'self'"
-            + " 'unsafe-inline'; img-src data:");
+        "default-src 'self'; script-src 'self' 'unsafe-inline' https://buttons.github.io"
+            + " https://api.github.com; style-src 'self' 'unsafe-inline'"
+            + " https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src"
+            + " 'self' data: https:; connect-src 'self' https://api.github.com");
+
+    // Add Permissions Policy header
+    res.setHeader("Permissions-Policy", "geolocation=(), microphone=(), camera=()");
+
+    // Add cache control headers to prevent caching of sensitive content
+    res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
+    res.setHeader("Pragma", "no-cache");
+    res.setHeader("Expires", "0");
+
     chain.doFilter(request, res);
   }
 }
@@ -49,6 +49,8 @@ K8S_ENV=DOCKER
 [email protected]@
 logging.level.root=INFO
 server.servlet.session.tracking-modes=COOKIE
+server.servlet.session.cookie.http-only=true
+server.servlet.session.cookie.same-site=strict
 asciidoctor.enabled=false
 hints_enabled=true
 ctf_enabled=false

@@ -0,0 +1,72 @@
+package org.owasp.wrongsecrets;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.web.servlet.MockMvc;
+
+@SpringBootTest(
+    webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT,
+    properties = {"K8S_ENV=k8s"})
+@AutoConfigureMockMvc
+class SecurityHeaderTest {
+
+  @Autowired private MockMvc mvc;
+
+  @Test
+  void shouldHaveXFrameOptionsHeader() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(header().string("X-Frame-Options", "SAMEORIGIN"));
+  }
+
+  @Test
+  void shouldHaveXContentTypeOptionsHeader() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(header().string("X-Content-Type-Options", "nosniff"));
+  }
+
+  @Test
+  void shouldHaveContentSecurityPolicyHeader() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(header().exists("Content-Security-Policy"));
+  }
+
+  @Test
+  void shouldHavePermissionsPolicyHeader() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(
+            header().string("Permissions-Policy", "geolocation=(), microphone=(), camera=()"));
+  }
+
+  @Test
+  void shouldHaveCacheControlHeaders() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(header().string("Cache-Control", "no-cache, no-store, must-revalidate"))
+        .andExpect(header().string("Pragma", "no-cache"))
+        .andExpect(header().string("Expires", "0"));
+  }
+
+  @Test
+  void shouldNotHaveWildcardInCSP() throws Exception {
+    mvc.perform(get("/"))
+        .andExpect(status().isOk())
+        .andExpect(
+            result -> {
+              String csp = result.getResponse().getHeader("Content-Security-Policy");
+              if (csp != null && csp.contains("default-src *")) {
+                throw new AssertionError(
+                    "CSP should not contain wildcard directive 'default-src *'");
+              }
+            });
+  }
+}