public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using WebSecurityConfigurerAdapter
's default constructor.
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Modifier and Type | Class and Description |
---|---|
class |
HeadersConfigurer.CacheControlConfig |
class |
HeadersConfigurer.ContentSecurityPolicyConfig |
class |
HeadersConfigurer.ContentTypeOptionsConfig |
class |
HeadersConfigurer.FrameOptionsConfig |
class |
HeadersConfigurer.HpkpConfig |
class |
HeadersConfigurer.HstsConfig |
class |
HeadersConfigurer.XXssConfig |
Constructor and Description |
---|
HeadersConfigurer()
Creates a new instance
|
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
public HeadersConfigurer()
HttpSecurity.headers()
public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)
HeaderWriter
instanceheaderWriter
- the HeaderWriter
instance to addHeadersConfigurer
for additional customizationspublic HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()
XContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
public HeadersConfigurer.XXssConfig xssProtection()
Allows customizing the XXssProtectionHeaderWriter
which adds the X-XSS-Protection header
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.CacheControlConfig cacheControl()
CacheControlHeadersWriter
. Specifically it adds the
following headers:
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.HstsConfig httpStrictTransportSecurity()
HstsHeaderWriter
which provides support for HTTP Strict Transport Security
(HSTS).HeadersConfigurer
for additional customizationspublic HeadersConfigurer.FrameOptionsConfig frameOptions()
XFrameOptionsHeaderWriter
.HeadersConfigurer
for additional customizationspublic HeadersConfigurer.HpkpConfig httpPublicKeyPinning()
HpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).HeadersConfigurer
for additional customizationspublic HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the ContentSecurityPolicyHeaderWriter
which supports the writing
of the two headers as detailed in the W3C Candidate Recommendation:
IllegalArgumentException
- if policyDirectives is null or emptyContentSecurityPolicyHeaderWriter
public HeadersConfigurer<H> defaultsDisabled()
http.headers().defaultsDisabled().cacheControl();
HeadersConfigurer
for additional customizationpublic void configure(H http) throws Exception
SecurityConfigurer
SecurityBuilder
by setting the necessary properties on the
SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
Exception
public B disable()
AbstractHttpConfigurer
by removing it. After doing so a fresh
version of the configuration can be applied.HttpSecurityBuilder
for additional customizationspublic T withObjectPostProcessor(ObjectPostProcessor<?> objectPostProcessor)