Class HstsHeaderWriter

java.lang.Object
org.springframework.security.web.header.writers.HstsHeaderWriter
All Implemented Interfaces:
HeaderWriter

public final class HstsHeaderWriter extends Object implements HeaderWriter
Provides support for HTTP Strict Transport Security (HSTS).

By default the expiration is one year, subdomains will be included and preload will not be included. This can be customized using setMaxAgeInSeconds(long), setIncludeSubDomains(boolean) and setPreload(boolean) respectively.

Since section 7.2 states that HSTS Host MUST NOT include the STS header in HTTP responses, the default behavior is that the "Strict-Transport-Security" will only be added when ServletRequest.isSecure() returns true . At times this may need to be customized. For example, in some situations where SSL termination is used, something else may be used to determine if SSL was used. For these circumstances, setRequestMatcher(RequestMatcher) can be invoked with a custom RequestMatcher.

See Website hstspreload.org for additional details on HSTS preload.

Since:
3.2
  • Constructor Details

  • Method Details

    • writeHeaders

      public void writeHeaders(jakarta.servlet.http.HttpServletRequest request, jakarta.servlet.http.HttpServletResponse response)
      Description copied from interface: HeaderWriter
      Create a Header instance.
      Specified by:
      writeHeaders in interface HeaderWriter
      Parameters:
      request - the request
      response - the response
    • setRequestMatcher

      public void setRequestMatcher(RequestMatcher requestMatcher)
      Sets the RequestMatcher used to determine if the "Strict-Transport-Security" should be added. If true the header is added, else the header is not added. By default the header is added when ServletRequest.isSecure() returns true.
      Parameters:
      requestMatcher - the RequestMatcher to use.
      Throws:
      IllegalArgumentException - if RequestMatcher is null
    • setMaxAgeInSeconds

      public void setMaxAgeInSeconds(long maxAgeInSeconds)

      Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. The default is one year.

      This instructs browsers how long to remember to keep this domain as a known HSTS Host. See Section 6.1.1 for additional details.

      Parameters:
      maxAgeInSeconds - the maximum amount of time (in seconds) to consider this domain as a known HSTS Host.
      Throws:
      IllegalArgumentException - if maxAgeInSeconds is negative
    • setIncludeSubDomains

      public void setIncludeSubDomains(boolean includeSubDomains)

      If true, subdomains should be considered HSTS Hosts too. The default is true.

      See Section 6.1.2 for additional details.

      Parameters:
      includeSubDomains - true to include subdomains, else false
    • setPreload

      public void setPreload(boolean preload)

      If true, preload will be included in HSTS Header. The default is false.

      See Section 6.1.2 for additional details.

      Parameters:
      preload - true to include preload, else false
      Since:
      5.2.0