By name: cwe-693-missing-security-headers description: Use this skill when you need to remediate CWE-693 (Missing Security Headers (Clickjacking)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing missing security headers (clickjacking) issues. version: 1.0.0 license: MIT tags:
- security
- java
- cwe-693
- remediation
- sast
CWE-693 Missing Security Headers (Clickjacking)
Description
Missing Security Headers (Clickjacking)
Reference: https://cwe.mitre.org/data/definitions/693.html
OWASP Category: A05:2021 – Security Misconfiguration
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: No security headers configured
@RestController
public class ApiController {
@GetMapping("/data")
public ResponseEntity<Data> getData() {
return ResponseEntity.ok(data); // No security headers!
}
}
Why it's vulnerable: This pattern is vulnerable to Missing Security Headers (Clickjacking)
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Add security headers via filter
@Component
public class SecurityHeadersFilter implements Filter {
@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
// Prevent clickjacking
response.setHeader("X-Frame-Options", "DENY");
// Content Security Policy
response.setHeader("Content-Security-Policy",
"default-src 'self'; frame-ancestors 'none'");
// Prevent MIME sniffing
response.setHeader("X-Content-Type-Options", "nosniff");
// XSS Protection (legacy browsers)
response.setHeader("X-XSS-Protection", "1; mode=block");
// HSTS (HTTPS only)
response.setHeader("Strict-Transport-Security",
"max-age=31536000; includeSubDomains");
chain.doFilter(req, res);
}
}
// Or via Spring Security configuration
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.headers()
.frameOptions().deny()
.contentSecurityPolicy("default-src 'self'")
.and()
.xssProtection().block(true);
}
}
Why it's secure: Implements proper protection against Missing Security Headers (Clickjacking)
Detection Pattern
Look for these patterns in your codebase:
# Check for security header configuration
grep -rn "X-Frame-Options\\|frameOptions\\|Content-Security-Policy" --include="*.java"
Remediation Steps
Add X-Frame-Options: DENY to all responses
Implement Content-Security-Policy with frame-ancestors 'none'
Add X-Content-Type-Options: nosniff
Use Spring Security's headers() configuration
Key Imports
import javax.servlet.Filter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
Verification
After remediation:
Run SAST scanner to confirm vulnerability is resolved
Review all instances of the vulnerable pattern
Add unit tests that verify the secure implementation
Check for similar patterns in related code
Trigger Examples
Fix CWE-693 vulnerability
Resolve Missing Security Headers (Clickjacking) issue
Secure this Java code against missing security headers (clickjacking)
SAST reports CWE-693
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07