public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using WebSecurityConfigurerAdapter's default constructor.
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
| Modifier and Type | Class and Description |
|---|---|
class |
HeadersConfigurer.CacheControlConfig |
class |
HeadersConfigurer.ContentSecurityPolicyConfig |
class |
HeadersConfigurer.ContentTypeOptionsConfig |
class |
HeadersConfigurer.FrameOptionsConfig |
class |
HeadersConfigurer.HpkpConfig |
class |
HeadersConfigurer.HstsConfig |
class |
HeadersConfigurer.XXssConfig |
| Constructor and Description |
|---|
HeadersConfigurer()
Creates a new instance
|
| Modifier and Type | Method and Description |
|---|---|
HeadersConfigurer<H> |
addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter)
Adds a
HeaderWriter instance |
HeadersConfigurer.CacheControlConfig |
cacheControl()
Allows customizing the
CacheControlHeadersWriter. |
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties on the
SecurityBuilder. |
HeadersConfigurer.ContentSecurityPolicyConfig |
contentSecurityPolicy(String policyDirectives)
Allows configuration for Content Security Policy (CSP) Level 2.
|
HeadersConfigurer.ContentTypeOptionsConfig |
contentTypeOptions()
Configures the
XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options: |
HeadersConfigurer<H> |
defaultsDisabled()
Clears all of the default headers from the response.
|
B |
disable()
Disables the
AbstractHttpConfigurer by removing it. |
HeadersConfigurer.FrameOptionsConfig |
frameOptions()
Allows customizing the
XFrameOptionsHeaderWriter. |
HeadersConfigurer.HpkpConfig |
httpPublicKeyPinning()
Allows customizing the
HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP). |
HeadersConfigurer.HstsConfig |
httpStrictTransportSecurity()
Allows customizing the
HstsHeaderWriter which provides support for HTTP Strict Transport Security
(HSTS). |
T |
withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) |
HeadersConfigurer.XXssConfig |
xssProtection()
Note this is not comprehensive XSS protection!
|
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilderpublic HeadersConfigurer()
HttpSecurity.headers()public HeadersConfigurer<H> addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter)
HeaderWriter instanceheaderWriter - the HeaderWriter instance to addHeadersConfigurer for additional customizationspublic HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()
XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
public HeadersConfigurer.XXssConfig xssProtection()
Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header
HeadersConfigurer for additional customizationspublic HeadersConfigurer.CacheControlConfig cacheControl()
CacheControlHeadersWriter. Specifically it adds the
following headers:
HeadersConfigurer for additional customizationspublic HeadersConfigurer.HstsConfig httpStrictTransportSecurity()
HstsHeaderWriter which provides support for HTTP Strict Transport Security
(HSTS).HeadersConfigurer for additional customizationspublic HeadersConfigurer.FrameOptionsConfig frameOptions()
XFrameOptionsHeaderWriter.HeadersConfigurer for additional customizationspublic HeadersConfigurer.HpkpConfig httpPublicKeyPinning()
HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).HeadersConfigurer for additional customizationspublic HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing
of the two headers as detailed in the W3C Candidate Recommendation:
IllegalArgumentException - if policyDirectives is null or emptyContentSecurityPolicyHeaderWriterpublic HeadersConfigurer<H> defaultsDisabled()
http.headers().defaultsDisabled().cacheControl();
HeadersConfigurer for additional customizationpublic void configure(H http) throws Exception
SecurityConfigurerSecurityBuilder by setting the necessary properties on the
SecurityBuilder.configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>Exceptionpublic B disable()
AbstractHttpConfigurer by removing it. After doing so a fresh
version of the configuration can be applied.HttpSecurityBuilder for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)