public final class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
WebSecurityConfigurerAdapter's default constructor. Only
invoking the #headers() without invoking additional methods on it, or
accepting the default provided by WebSecurityConfigurerAdapter, is
the equivalent of:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.contentTypeOptions();
.xssProtection()
.cacheControl()
.httpStrictTransportSecurity()
.frameOptions()
.and()
...;
}
}
You can disable the headers using the following:
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().disable()
...;
}
}
You can enable only a few of the headers by invoking the appropriate methods
on #headers() result. For example, the following will enable
cacheControl() and
frameOptions() only.
@Configuration
@EnableWebSecurity
public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.cacheControl()
.frameOptions()
.and()
...;
}
}
| Constructor and Description |
|---|
HeadersConfigurer()
Creates a new instance
|
| Modifier and Type | Method and Description |
|---|---|
HeadersConfigurer<H> |
addHeaderWriter(HeaderWriter headerWriter)
Adds a
HeaderWriter instance |
HeadersConfigurer<H> |
cacheControl()
|
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties
on the SecurityBuilder. |
HeadersConfigurer<H> |
contentTypeOptions()
Adds
XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options: |
B |
disable()
Disables the
AbstractHttpConfigurer by removing it. |
HeadersConfigurer<H> |
frameOptions()
Adds
XFrameOptionsHeaderWriter with all the default settings. |
HeadersConfigurer<H> |
httpStrictTransportSecurity()
Adds
HstsHeaderWriter which provides support for HTTP Strict Transport Security
(HSTS). |
T |
withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) |
HeadersConfigurer<H> |
xssProtection()
Note this is not comprehensive XSS protection!
XXssProtectionHeaderWriter which adds the X-XSS-Protection header |
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilderpublic HeadersConfigurer()
HttpSecurity.headers()public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)
HeaderWriter instanceheaderWriter - the HeaderWriter instance to addHeadersConfigurer for additional customizationspublic HeadersConfigurer<H> contentTypeOptions()
XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
HeadersConfigurer for additional customizationspublic HeadersConfigurer<H> xssProtection()
XXssProtectionHeaderWriter which adds the X-XSS-Protection headerHeadersConfigurer for additional customizationspublic HeadersConfigurer<H> cacheControl()
CacheControlHeadersWriter. Specifically it adds the
following headers:
HeadersConfigurer for additional customizationspublic HeadersConfigurer<H> httpStrictTransportSecurity()
HstsHeaderWriter which provides support for HTTP Strict Transport Security
(HSTS).
For additional configuration options, use
addHeaderWriter(HeaderWriter) and HstsHeaderWriter
directly.
HeadersConfigurer for additional customizationspublic HeadersConfigurer<H> frameOptions()
XFrameOptionsHeaderWriter with all the default settings. For
additional configuration options, use
addHeaderWriter(HeaderWriter) and
XFrameOptionsHeaderWriter directly.HeadersConfigurer for additional customizationspublic void configure(H http) throws Exception
SecurityConfigurerSecurityBuilder by setting the necessary properties
on the SecurityBuilder.configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>Exceptionpublic B disable()
AbstractHttpConfigurer by removing it. After doing
so a fresh version of the configuration can be applied.HttpSecurityBuilder for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)