public final class HstsHeaderWriter extends Object implements HeaderWriter
By default the expiration is one year and subdomains will be included. This can be
customized using setMaxAgeInSeconds(long)
and
setIncludeSubDomains(boolean)
respectively.
Since section 7.2 states
that HSTS Host MUST NOT include the STS header in HTTP responses, the default behavior
is that the "Strict-Transport-Security" will only be added when
ServletRequest.isSecure()
returns true
. At times this may need to
be customized. For example, in some situations where SSL termination is used, something
else may be used to determine if SSL was used. For these circumstances,
setRequestMatcher(RequestMatcher)
can be invoked with a custom
RequestMatcher
.
Constructor and Description |
---|
HstsHeaderWriter()
Creates a new instance
|
HstsHeaderWriter(boolean includeSubDomains)
Creates a new instance
|
HstsHeaderWriter(long maxAgeInSeconds)
Creates a new instance
|
HstsHeaderWriter(long maxAgeInSeconds,
boolean includeSubDomains)
Creates a new instance
|
HstsHeaderWriter(RequestMatcher requestMatcher,
long maxAgeInSeconds,
boolean includeSubDomains)
Creates a new instance
|
Modifier and Type | Method and Description |
---|---|
void |
setIncludeSubDomains(boolean includeSubDomains)
If true, subdomains should be considered HSTS Hosts too.
|
void |
setMaxAgeInSeconds(long maxAgeInSeconds)
Sets the value (in seconds) for the max-age directive of the
Strict-Transport-Security header.
|
void |
setRequestMatcher(RequestMatcher requestMatcher)
Sets the
RequestMatcher used to determine if the
"Strict-Transport-Security" should be added. |
void |
writeHeaders(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response)
Create a
Header instance. |
public HstsHeaderWriter(RequestMatcher requestMatcher, long maxAgeInSeconds, boolean includeSubDomains)
requestMatcher
- maps to setRequestMatcher(RequestMatcher)
maxAgeInSeconds
- maps to setMaxAgeInSeconds(long)
includeSubDomains
- maps to setIncludeSubDomains(boolean)
public HstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains)
maxAgeInSeconds
- maps to setMaxAgeInSeconds(long)
includeSubDomains
- maps to setIncludeSubDomains(boolean)
public HstsHeaderWriter(long maxAgeInSeconds)
maxAgeInSeconds
- maps to setMaxAgeInSeconds(long)
public HstsHeaderWriter(boolean includeSubDomains)
includeSubDomains
- maps to setIncludeSubDomains(boolean)
public HstsHeaderWriter()
public void writeHeaders(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
HeaderWriter
Header
instance.writeHeaders
in interface HeaderWriter
request
- the requestresponse
- the responsepublic void setRequestMatcher(RequestMatcher requestMatcher)
RequestMatcher
used to determine if the
"Strict-Transport-Security" should be added. If true the header is added, else the
header is not added. By default the header is added when
ServletRequest.isSecure()
returns true.requestMatcher
- the RequestMatcher
to use.IllegalArgumentException
- if RequestMatcher
is nullpublic void setMaxAgeInSeconds(long maxAgeInSeconds)
Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. The default is one year.
This instructs browsers how long to remember to keep this domain as a known HSTS Host. See Section 6.1.1 for additional details.
maxAgeInSeconds
- the maximum amount of time (in seconds) to consider this
domain as a known HSTS Host.IllegalArgumentException
- if maxAgeInSeconds is negativepublic void setIncludeSubDomains(boolean includeSubDomains)
If true, subdomains should be considered HSTS Hosts too. The default is true.
See Section 6.1.2 for additional details.
includeSubDomains
- true to include subdomains, else false