SKILL.md

name	cwe-693-missing-security-headers
description	Use this skill when you need to remediate CWE-693 (Missing Security Headers (Clickjacking)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing missing security headers (clickjacking) issues.
version	1.0.0
license	MIT
tags	security java cwe-693 remediation sast

CWE-693 Missing Security Headers (Clickjacking)

Description

Missing Security Headers (Clickjacking)

Reference: https://cwe.mitre.org/data/definitions/693.html

OWASP Category: A05:2021 – Security Misconfiguration

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: No security headers configured
@RestController
public class ApiController {
    @GetMapping("/data")
    public ResponseEntity<Data> getData() {
        return ResponseEntity.ok(data);  // No security headers!
    }
}

Why it's vulnerable: This pattern is vulnerable to Missing Security Headers (Clickjacking)

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Add security headers via filter
@Component
public class SecurityHeadersFilter implements Filter {
    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletResponse response = (HttpServletResponse) res;

        // Prevent clickjacking
        response.setHeader("X-Frame-Options", "DENY");

        // Content Security Policy
        response.setHeader("Content-Security-Policy",
            "default-src 'self'; frame-ancestors 'none'");

        // Prevent MIME sniffing
        response.setHeader("X-Content-Type-Options", "nosniff");

        // XSS Protection (legacy browsers)
        response.setHeader("X-XSS-Protection", "1; mode=block");

        // HSTS (HTTPS only)
        response.setHeader("Strict-Transport-Security",
            "max-age=31536000; includeSubDomains");

        chain.doFilter(req, res);
    }
}

// Or via Spring Security configuration
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers()
            .frameOptions().deny()
            .contentSecurityPolicy("default-src 'self'")
            .and()
            .xssProtection().block(true);
    }
}

Why it's secure: Implements proper protection against Missing Security Headers (Clickjacking)

---

Detection Pattern

Look for these patterns in your codebase:

# Check for security header configuration
grep -rn "X-Frame-Options\\|frameOptions\\|Content-Security-Policy" --include="*.java"

---

Remediation Steps

1. Add X-Frame-Options: DENY to all responses

2. Implement Content-Security-Policy with frame-ancestors 'none'

3. Add X-Content-Type-Options: nosniff

4. Use Spring Security's headers() configuration

---

Key Imports

import javax.servlet.Filter;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-693 vulnerability
Resolve Missing Security Headers (Clickjacking) issue
Secure this Java code against missing security headers (clickjacking)
SAST reports CWE-693

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-693: Protection Mechanism Failure

• OWASP Clickjacking Defense

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07