public final class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
WebSecurityConfigurerAdapter
's default constructor. Only
invoking the #headers()
without invoking additional methods on it, or
accepting the default provided by WebSecurityConfigurerAdapter
, is
the equivalent of:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .contentTypeOptions(); .xssProtection() .cacheControl() .httpStrictTransportSecurity() .frameOptions() .and() ...; } }You can disable the headers using the following:
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers().disable() ...; } }You can enable only a few of the headers by invoking the appropriate methods on
#headers()
result. For example, the following will enable
cacheControl()
and
frameOptions()
only.
@Configuration @EnableWebSecurity public class CsrfSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .cacheControl() .frameOptions() .and() ...; } }
Constructor and Description |
---|
HeadersConfigurer()
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
HeadersConfigurer<H> |
addHeaderWriter(HeaderWriter headerWriter)
Adds a
HeaderWriter instance |
HeadersConfigurer<H> |
cacheControl()
|
void |
configure(H http)
Configure the
SecurityBuilder by setting the necessary properties
on the SecurityBuilder . |
HeadersConfigurer<H> |
contentTypeOptions()
Adds
XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options: |
B |
disable()
Disables the
AbstractHttpConfigurer by removing it. |
HeadersConfigurer<H> |
frameOptions()
Adds
XFrameOptionsHeaderWriter with all the default settings. |
HeadersConfigurer<H> |
httpStrictTransportSecurity()
Adds
HstsHeaderWriter which provides support for HTTP Strict Transport Security
(HSTS). |
T |
withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor) |
HeadersConfigurer<H> |
xssProtection()
Note this is not comprehensive XSS protection!
XXssProtectionHeaderWriter which adds the X-XSS-Protection header |
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
public HeadersConfigurer()
HttpSecurity.headers()
public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)
HeaderWriter
instanceheaderWriter
- the HeaderWriter
instance to addHeadersConfigurer
for additional customizationspublic HeadersConfigurer<H> contentTypeOptions()
XContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
HeadersConfigurer
for additional customizationspublic HeadersConfigurer<H> xssProtection()
XXssProtectionHeaderWriter
which adds the X-XSS-Protection headerHeadersConfigurer
for additional customizationspublic HeadersConfigurer<H> cacheControl()
CacheControlHeadersWriter
. Specifically it adds the
following headers:
HeadersConfigurer
for additional customizationspublic HeadersConfigurer<H> httpStrictTransportSecurity()
HstsHeaderWriter
which provides support for HTTP Strict Transport Security
(HSTS).
For additional configuration options, use
addHeaderWriter(HeaderWriter)
and HstsHeaderWriter
directly.
HeadersConfigurer
for additional customizationspublic HeadersConfigurer<H> frameOptions()
XFrameOptionsHeaderWriter
with all the default settings. For
additional configuration options, use
addHeaderWriter(HeaderWriter)
and
XFrameOptionsHeaderWriter
directly.HeadersConfigurer
for additional customizationspublic void configure(H http) throws Exception
SecurityConfigurer
SecurityBuilder
by setting the necessary properties
on the SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
Exception
public B disable()
AbstractHttpConfigurer
by removing it. After doing
so a fresh version of the configuration can be applied.HttpSecurityBuilder
for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)