I want to enable Spring Security XSS protection in my application.

1) Read docs and blogs, and https://spring.io/blog/2013/08/23/spring-security-3-2-0-rc1-highlights-security-headers/ indicates XSS is there by default

2) And http://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html indicates it is not there by default

3) If I use http.headers().xssProtection() in my configure method in an class extending WebSecurityConfigurerAdapter: does that disable all the other default headers?

The defaults wouldn't be disabled until you specifically include the below code to disable the default.

http.headers().defaultsDisabled()

Reg point 1 and 2, my understanding is both blog and doc have the same information.

X-XSS-Protection: 1; mode=block

The filtering (filtering out XSS attacks) is typically enabled by default, so adding the header typically just ensures it is enabled and instructs the browser what to do when a XSS attack is detected.

According to Spring Security documentation, security HTTP headers is activated by default when using EnableWebSecurity's default constructor. Default headers include:

  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
  Pragma: no-cache
  Expires: 0
  X-Content-Type-Options: nosniff
  Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  X-Frame-Options: DENY
  X-XSS-Protection: 0

The X-XSS-Protection header is here. However, it's disabled since the header has been deprecated by modern browsers as its use can introduce additional security issues on the client side.

OWASP recommendation is to not set this header or explicitly turn it off: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection