[Esapi-user] SecurityWrapperResponse::addHeader too short

Greene, Geoffrey N geoffrey.n.greene at boeing.com
Wed Jan 13 17:57:35 UTC 2016

Running ESAPI 2.1.0 in a spring security environment

I notice that SecurityWrapperResponse::setHeader has the following line in it:

String safeName = ESAPI.validator().getValidInput("addHeader", strippedName, "HTTPHeaderName", 20, false);

However, if the header name is "X-Content-Type-Options" (which is a legitimate Header name), this will fail (and does for me) because it is greater than 20 characters
Heck, Content-Security-Policy-Report-Only is 36 characters.  20 seems small, and relatively arbitrary

Is there any legitimate reason why this number is hardcoded?  Spring-security uses the X-Content-Type-Options header when you have an xml file that looks like this:

    <security:content-type-options />

I can override SecurityWrapperResponse, but I am a bit surprised that it is necessary.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20160113/4893ec14/attachment.html>

More information about the Esapi-user mailing list