public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using WebSecurityConfigurerAdapter
's default constructor.
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Modifier and Type | Class and Description |
---|---|
class |
HeadersConfigurer.CacheControlConfig |
class |
HeadersConfigurer.ContentSecurityPolicyConfig |
class |
HeadersConfigurer.ContentTypeOptionsConfig |
class |
HeadersConfigurer.FrameOptionsConfig |
class |
HeadersConfigurer.HpkpConfig |
class |
HeadersConfigurer.HstsConfig |
class |
HeadersConfigurer.ReferrerPolicyConfig |
class |
HeadersConfigurer.XXssConfig |
Constructor and Description |
---|
HeadersConfigurer()
Creates a new instance
|
disable, withObjectPostProcessor
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
public HeadersConfigurer()
HttpSecurity.headers()
public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)
HeaderWriter
instanceheaderWriter
- the HeaderWriter
instance to addHeadersConfigurer
for additional customizationspublic HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()
XContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
public HeadersConfigurer.XXssConfig xssProtection()
Allows customizing the XXssProtectionHeaderWriter
which adds the X-XSS-Protection header
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.CacheControlConfig cacheControl()
CacheControlHeadersWriter
. Specifically it adds the
following headers:
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.HstsConfig httpStrictTransportSecurity()
HstsHeaderWriter
which provides support for HTTP Strict Transport Security
(HSTS).HeadersConfigurer
for additional customizationspublic HeadersConfigurer.FrameOptionsConfig frameOptions()
XFrameOptionsHeaderWriter
.HeadersConfigurer
for additional customizationspublic HeadersConfigurer.HpkpConfig httpPublicKeyPinning()
HpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).HeadersConfigurer
for additional customizationspublic HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(java.lang.String policyDirectives)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the ContentSecurityPolicyHeaderWriter
which supports the writing
of the two headers as detailed in the W3C Candidate Recommendation:
java.lang.IllegalArgumentException
- if policyDirectives is null or emptyContentSecurityPolicyHeaderWriter
public HeadersConfigurer<H> defaultsDisabled()
http.headers().defaultsDisabled().cacheControl();
HeadersConfigurer
for additional customizationpublic void configure(H http) throws java.lang.Exception
SecurityConfigurer
SecurityBuilder
by setting the necessary properties on the
SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
java.lang.Exception
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy()
Allows configuration for Referrer Policy.
Configuration is provided to the ReferrerPolicyHeaderWriter
which support the writing
of the header as detailed in the W3C Technical Report:
Default value is:
Referrer-Policy: no-referrer
ReferrerPolicyHeaderWriter
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)
Allows configuration for Referrer Policy.
Configuration is provided to the ReferrerPolicyHeaderWriter
which support the writing
of the header as detailed in the W3C Technical Report:
java.lang.IllegalArgumentException
- if policy is null or emptyReferrerPolicyHeaderWriter