public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using WebSecurityConfigurerAdapter
's default constructor.
The default headers are include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Modifier and Type | Class and Description |
---|---|
class |
HeadersConfigurer.CacheControlConfig |
class |
HeadersConfigurer.ContentTypeOptionsConfig |
class |
HeadersConfigurer.FrameOptionsConfig |
class |
HeadersConfigurer.HstsConfig |
class |
HeadersConfigurer.XXssConfig |
Constructor and Description |
---|
HeadersConfigurer()
Creates a new instance
|
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
public HeadersConfigurer()
HttpSecurity.headers()
public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)
HeaderWriter
instanceheaderWriter
- the HeaderWriter
instance to addHeadersConfigurer
for additional customizationspublic HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()
XContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
public HeadersConfigurer.XXssConfig xssProtection()
Allows customizing the XXssProtectionHeaderWriter
which adds the X-XSS-Protection header
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.CacheControlConfig cacheControl()
CacheControlHeadersWriter
. Specifically it adds the
following headers:
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.HstsConfig httpStrictTransportSecurity()
HstsHeaderWriter
which provides support for HTTP Strict Transport Security
(HSTS).HeadersConfigurer
for additional customizationspublic HeadersConfigurer.FrameOptionsConfig frameOptions()
XFrameOptionsHeaderWriter
.HeadersConfigurer
for additional customizationspublic HeadersConfigurer<H> defaultsDisabled()
http.headers().defaultsDisabled().cacheControl();
HeadersConfigurer
for additional customizationpublic void configure(H http) throws Exception
SecurityConfigurer
SecurityBuilder
by setting the necessary properties on the
SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
Exception
public B disable()
AbstractHttpConfigurer
by removing it. After doing so a fresh
version of the configuration can be applied.HttpSecurityBuilder
for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)