public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using WebSecurityConfigurerAdapter
's default constructor.
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Modifier and Type | Class and Description |
---|---|
class |
HeadersConfigurer.CacheControlConfig |
class |
HeadersConfigurer.ContentSecurityPolicyConfig |
class |
HeadersConfigurer.ContentTypeOptionsConfig |
class |
HeadersConfigurer.FeaturePolicyConfig |
class |
HeadersConfigurer.FrameOptionsConfig |
class |
HeadersConfigurer.HpkpConfig |
class |
HeadersConfigurer.HstsConfig |
class |
HeadersConfigurer.ReferrerPolicyConfig |
class |
HeadersConfigurer.XXssConfig |
Constructor and Description |
---|
HeadersConfigurer()
Creates a new instance
|
disable, withObjectPostProcessor
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
public HeadersConfigurer()
HttpSecurity.headers()
public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)
HeaderWriter
instanceheaderWriter
- the HeaderWriter
instance to addHeadersConfigurer
for additional customizationspublic HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()
XContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
HeadersConfigurer.ContentTypeOptionsConfig
for additional customizationspublic HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)
XContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:
X-Content-Type-Options: nosniff
contentTypeOptionsCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.ContentTypeOptionsConfig
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.XXssConfig xssProtection()
Allows customizing the XXssProtectionHeaderWriter
which adds the X-XSS-Protection header
HeadersConfigurer.XXssConfig
for additional customizationspublic HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer.XXssConfig> xssCustomizer)
Allows customizing the XXssProtectionHeaderWriter
which adds the X-XSS-Protection header
xssCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.XXssConfig
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.CacheControlConfig cacheControl()
CacheControlHeadersWriter
. Specifically it adds the
following headers:
HeadersConfigurer.CacheControlConfig
for additional customizationspublic HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer.CacheControlConfig> cacheControlCustomizer)
CacheControlHeadersWriter
. Specifically it adds the
following headers:
cacheControlCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.CacheControlConfig
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.HstsConfig httpStrictTransportSecurity()
HstsHeaderWriter
which provides support for HTTP Strict Transport Security
(HSTS).HeadersConfigurer.HstsConfig
for additional customizationspublic HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer.HstsConfig> hstsCustomizer)
HstsHeaderWriter
which provides support for HTTP Strict Transport Security
(HSTS).hstsCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.HstsConfig
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.FrameOptionsConfig frameOptions()
XFrameOptionsHeaderWriter
.HeadersConfigurer.FrameOptionsConfig
for additional customizationspublic HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer.FrameOptionsConfig> frameOptionsCustomizer)
XFrameOptionsHeaderWriter
.frameOptionsCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.FrameOptionsConfig
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.HpkpConfig httpPublicKeyPinning()
HpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).HeadersConfigurer.HpkpConfig
for additional customizationspublic HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig> hpkpCustomizer)
HpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).hpkpCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.HpkpConfig
HeadersConfigurer
for additional customizationspublic HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(java.lang.String policyDirectives)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the ContentSecurityPolicyHeaderWriter
which supports the writing
of the two headers as detailed in the W3C Candidate Recommendation:
HeadersConfigurer.ContentSecurityPolicyConfig
for additional configurationjava.lang.IllegalArgumentException
- if policyDirectives is null or emptyContentSecurityPolicyHeaderWriter
public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer.ContentSecurityPolicyConfig> contentSecurityCustomizer)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the ContentSecurityPolicyHeaderWriter
which supports the writing
of the two headers as detailed in the W3C Candidate Recommendation:
contentSecurityCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.ContentSecurityPolicyConfig
HeadersConfigurer
for additional customizationsContentSecurityPolicyHeaderWriter
public HeadersConfigurer<H> defaultsDisabled()
http.headers().defaultsDisabled().cacheControl();
HeadersConfigurer
for additional customizationpublic void configure(H http)
SecurityConfigurer
SecurityBuilder
by setting the necessary properties on the
SecurityBuilder
.configure
in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
configure
in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy()
Allows configuration for Referrer Policy.
Configuration is provided to the ReferrerPolicyHeaderWriter
which support the writing
of the header as detailed in the W3C Technical Report:
Default value is:
Referrer-Policy: no-referrer
HeadersConfigurer.ReferrerPolicyConfig
for additional configurationReferrerPolicyHeaderWriter
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)
Allows configuration for Referrer Policy.
Configuration is provided to the ReferrerPolicyHeaderWriter
which support the writing
of the header as detailed in the W3C Technical Report:
HeadersConfigurer.ReferrerPolicyConfig
for additional configurationjava.lang.IllegalArgumentException
- if policy is null or emptyReferrerPolicyHeaderWriter
public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer.ReferrerPolicyConfig> referrerPolicyCustomizer)
Allows configuration for Referrer Policy.
Configuration is provided to the ReferrerPolicyHeaderWriter
which support the writing
of the header as detailed in the W3C Technical Report:
referrerPolicyCustomizer
- the Customizer
to provide more options for
the HeadersConfigurer.ReferrerPolicyConfig
HeadersConfigurer
for additional customizationsReferrerPolicyHeaderWriter
public HeadersConfigurer.FeaturePolicyConfig featurePolicy(java.lang.String policyDirectives)
Calling this method automatically enables (includes) the Feature-Policy
header in the response using the supplied policy directive(s).
Configuration is provided to the FeaturePolicyHeaderWriter
which is
responsible for writing the header.
HeadersConfigurer.FeaturePolicyConfig
for additional configurationjava.lang.IllegalArgumentException
- if policyDirectives is null
or emptyFeaturePolicyHeaderWriter