Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain, H>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>, H>

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain, H>

public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<HeadersConfigurer<H>, H>

Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using EnableWebSecurity's default constructor.

The default headers include are:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 0

Since:

3.2

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
final class	HeadersConfigurer.CacheControlConfig
final class	HeadersConfigurer.ContentSecurityPolicyConfig
final class	HeadersConfigurer.ContentTypeOptionsConfig
final class	HeadersConfigurer.CrossOriginEmbedderPolicyConfig
final class	HeadersConfigurer.CrossOriginOpenerPolicyConfig
final class	HeadersConfigurer.CrossOriginResourcePolicyConfig
final class	HeadersConfigurer.FeaturePolicyConfig
final class	HeadersConfigurer.FrameOptionsConfig
final class	HeadersConfigurer.HpkpConfig	Deprecated. see Certificate and Public Key Pinning for more context
final class	HeadersConfigurer.HstsConfig
final class	HeadersConfigurer.PermissionsPolicyConfig
final class	HeadersConfigurer.ReferrerPolicyConfig
final class	HeadersConfigurer.XXssConfig

Constructor Summary

Constructors

Constructor	Description
HeadersConfigurer()	Creates a new instance

Method Summary

Modifier and Type	Method	Description
HeadersConfigurer<H>	addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter)	Adds a HeaderWriter instance
HeadersConfigurer<H>	cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer)	Allows customizing the CacheControlHeadersWriter.
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
HeadersConfigurer<H>	contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer)	Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer<H>	contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)	Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer<H>	crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)	Allows configuration for Cross-Origin-Embedder-Policy header.
HeadersConfigurer<H>	crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)	Allows configuration for Cross-Origin-Opener-Policy header.
HeadersConfigurer<H>	crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)	Allows configuration for Cross-Origin-Resource-Policy header.
HeadersConfigurer<H>	defaultsDisabled()	Clears all of the default headers from the response.
HeadersConfigurer<H>.FeaturePolicyConfig	featurePolicy(String policyDirectives)	Deprecated. For removal in 7.0.
HeadersConfigurer<H>	frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer)	Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer<H>	httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer)	Deprecated. see Certificate and Public Key Pinning for more context
HeadersConfigurer<H>	httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer)	Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer<H>.PermissionsPolicyConfig	permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	permissionsPolicyHeader(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)	Allows configuration for Permissions Policy.
HeadersConfigurer<H>	referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer)	Allows configuration for Referrer Policy.
HeadersConfigurer<H>	xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer)	Note this is not comprehensive XSS protection!

Methods inherited from class AbstractHttpConfigurer

disable, getRequestMatcherBuilder, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class SecurityConfigurerAdapter

addObjectPostProcessor, getBuilder, init, postProcess, setBuilder

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

HeadersConfigurer

public HeadersConfigurer()

Creates a new instance

See Also:

• HttpSecurity.headers(Customizer)

Method Details

addHeaderWriter

public HeadersConfigurer<H> addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter)

Adds a HeaderWriter instance

Parameters:

headerWriter - the HeaderWriter instance to add

Returns:

the HeadersConfigurer for additional customizations

contentTypeOptions

public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

X-Content-Type-Options: nosniff

Parameters:

contentTypeOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

xssProtection

public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer)

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Parameters:

xssCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig

Returns:

the HeadersConfigurer for additional customizations

cacheControl

public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer)

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Parameters:

cacheControlCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig

Returns:

the HeadersConfigurer for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer)

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Parameters:

hstsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig

Returns:

the HeadersConfigurer for additional customizations

frameOptions

public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer)

Allows customizing the XFrameOptionsHeaderWriter.

Parameters:

frameOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

httpPublicKeyPinning

@Deprecated
public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer)

Deprecated.

see Certificate and Public Key Pinning for more context

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Parameters:

hpkpCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig

Returns:

the HeadersConfigurer for additional customizations

contentSecurityPolicy

public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Parameters:

contentSecurityCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

• ContentSecurityPolicyHeaderWriter

defaultsDisabled

public HeadersConfigurer<H> defaultsDisabled()

Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:

http.headers().defaultsDisabled().cacheControl();

Returns:

the HeadersConfigurer for additional customization

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain, H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain, H extends HttpSecurityBuilder<H>>

Parameters:

http -

referrerPolicy

public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Parameters:

referrerPolicyCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

• ReferrerPolicyHeaderWriter

featurePolicy

@Deprecated
public HeadersConfigurer<H>.FeaturePolicyConfig featurePolicy(String policyDirectives)

Deprecated.

For removal in 7.0. Use permissionsPolicy(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows configuration for Feature Policy.

Calling this method automatically enables (includes) the Feature-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the FeaturePolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FeaturePolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

5.1

See Also:

• FeaturePolicyHeaderWriter

permissionsPolicy

@Deprecated(since="6.4",
            forRemoval=true)
public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use permissionsPolicyHeader(Customizer) instead

Allows configuration for Permissions Policy.

Calling this method automatically enables (includes) the Permissions-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the PermissionsPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

5.5

See Also:

• PermissionsPolicyHeaderWriter

permissionsPolicyHeader

public HeadersConfigurer<H> permissionsPolicyHeader(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)

Allows configuration for Permissions Policy.

Calling this method automatically enables (includes) the Permissions-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the PermissionsPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

6.4

See Also:

• PermissionsPolicyHeaderWriter

crossOriginOpenerPolicy

public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)

Allows configuration for Cross-Origin-Opener-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Opener-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginOpenerPolicyHeaderWriter which responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginOpenerPolicyHeaderWriter

crossOriginEmbedderPolicy

public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)

Allows configuration for Cross-Origin-Embedder-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Embedder-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginEmbedderPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginEmbedderPolicyHeaderWriter

crossOriginResourcePolicy

public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)

Allows configuration for Cross-Origin-Resource-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Resource-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginResourcePolicyHeaderWriter which is responsible for writing the header:

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginResourcePolicyHeaderWriter