I want to secure my spring boot app with XSS protection. I have Spring Boot application implemented with Spring Security.

Additionally I have second application (frontend) working on different port (different origin) - that is why I cannot set Content Security Policy as 'self' for preventing XSS attacks.

How can I implement basic XSS protection, filter that can remove all suspicious strings from incoming requests?

Edit:

I have found this article: https://www.baeldung.com/spring-prevent-xss. But this project uses ESAPI library wchich is pretty big and slowing down application, so I would like to find different, easier approach.

Universal filters can be unreliable. It's usually better to apply validation for inputs, and encoding for outputs individually, as what's valid and what encoding is needed depends on the value and its context.

The main thing to do is apply the correct encoding where necessary and be careful where values are used. See the OWASP XSS Prevention page.

The Baeldung article uses ESAPI.encoder().canonicalize(value) which decodes various sequences beginning with &, % or \.

If these are valid characters in any of your inputs, then decoding can corrupt the input and shouldn't be done.

If they're not valid, then the input should be rejected. If the input really was malicious, then you shouldn't be processing it anyway. So the call to ESAPI might as well be:

if(value.matches(".*[\\\\%&].*")) {
    throw new RuntimeException("Invalid character");
}

Prefer sanitizing output instead of input to prevent XSS Attacks.

Problem with Input Sanitization:

Encoders might go pretty aggressive and change the original input. So, if your email id contains @, it might get converted to @ changing the whole meaning of the input and break the functionality.

Input Validation:

Input validation is very important for data integrity. For example, check if it's a valid email before saving it to database. This kind of validation will inherently prevent attackers from saving script data inside your database (1st half of xss attack). But, some input fields are very open by it's nature, for example: comment box, or html editor. These inputs can't be validated.

Output Sanitization:

Having html scripts inside your database is not the prime reason for xss attacks, but getting them executed while rendering in html causes the issue. So, in the context of XSS, always encode your output with encoder like ESAPI.encodeForHTML(), input validation is optional, and good to have for many reasons.

XSS and SPA (Angular/React)

If your UI is a Single Page Application using technologies like Angular, React. Then you might not need to encode your output from BE. As, these technologies will make sure to render scripts(if any) as plain text, instead of executing them.