Class HstsHeaderWriter
- java.lang.Object
-
- org.springframework.security.web.header.writers.HstsHeaderWriter
-
- All Implemented Interfaces:
HeaderWriter
public final class HstsHeaderWriter extends java.lang.Object implements HeaderWriter
Provides support for HTTP Strict Transport Security (HSTS).By default the expiration is one year, subdomains will be included and preload will not be included. This can be customized using
setMaxAgeInSeconds(long)
,setIncludeSubDomains(boolean)
andsetPreload(boolean)
respectively.Since section 7.2 states that HSTS Host MUST NOT include the STS header in HTTP responses, the default behavior is that the "Strict-Transport-Security" will only be added when
ServletRequest.isSecure()
returnstrue
. At times this may need to be customized. For example, in some situations where SSL termination is used, something else may be used to determine if SSL was used. For these circumstances,setRequestMatcher(RequestMatcher)
can be invoked with a customRequestMatcher
.See Website hstspreload.org for additional details on HSTS preload.
- Since:
- 3.2
-
-
Constructor Summary
Constructors Constructor Description HstsHeaderWriter()
Creates a new instanceHstsHeaderWriter(boolean includeSubDomains)
Creates a new instanceHstsHeaderWriter(long maxAgeInSeconds)
Creates a new instanceHstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains)
Creates a new instanceHstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains, boolean preload)
Creates a new instanceHstsHeaderWriter(RequestMatcher requestMatcher, long maxAgeInSeconds, boolean includeSubDomains)
Creates a new instanceHstsHeaderWriter(RequestMatcher requestMatcher, long maxAgeInSeconds, boolean includeSubDomains, boolean preload)
Creates a new instance
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description void
setIncludeSubDomains(boolean includeSubDomains)
If true, subdomains should be considered HSTS Hosts too.void
setMaxAgeInSeconds(long maxAgeInSeconds)
Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header.void
setPreload(boolean preload)
If true, preload will be included in HSTS Header.void
setRequestMatcher(RequestMatcher requestMatcher)
Sets theRequestMatcher
used to determine if the "Strict-Transport-Security" should be added.void
writeHeaders(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Create aHeader
instance.
-
-
-
Constructor Detail
-
HstsHeaderWriter
public HstsHeaderWriter(RequestMatcher requestMatcher, long maxAgeInSeconds, boolean includeSubDomains, boolean preload)
Creates a new instance- Parameters:
requestMatcher
- maps tosetRequestMatcher(RequestMatcher)
maxAgeInSeconds
- maps tosetMaxAgeInSeconds(long)
includeSubDomains
- maps tosetIncludeSubDomains(boolean)
preload
- maps tosetPreload(boolean)
- Since:
- 5.2.0
-
HstsHeaderWriter
public HstsHeaderWriter(RequestMatcher requestMatcher, long maxAgeInSeconds, boolean includeSubDomains)
Creates a new instance- Parameters:
requestMatcher
- maps tosetRequestMatcher(RequestMatcher)
maxAgeInSeconds
- maps tosetMaxAgeInSeconds(long)
includeSubDomains
- maps tosetIncludeSubDomains(boolean)
-
HstsHeaderWriter
public HstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains, boolean preload)
Creates a new instance- Parameters:
maxAgeInSeconds
- maps tosetMaxAgeInSeconds(long)
includeSubDomains
- maps tosetIncludeSubDomains(boolean)
preload
- maps tosetPreload(boolean)
- Since:
- 5.2.0
-
HstsHeaderWriter
public HstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains)
Creates a new instance- Parameters:
maxAgeInSeconds
- maps tosetMaxAgeInSeconds(long)
includeSubDomains
- maps tosetIncludeSubDomains(boolean)
-
HstsHeaderWriter
public HstsHeaderWriter(long maxAgeInSeconds)
Creates a new instance- Parameters:
maxAgeInSeconds
- maps tosetMaxAgeInSeconds(long)
-
HstsHeaderWriter
public HstsHeaderWriter(boolean includeSubDomains)
Creates a new instance- Parameters:
includeSubDomains
- maps tosetIncludeSubDomains(boolean)
-
HstsHeaderWriter
public HstsHeaderWriter()
Creates a new instance
-
-
Method Detail
-
writeHeaders
public void writeHeaders(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response)
Description copied from interface:HeaderWriter
Create aHeader
instance.- Specified by:
writeHeaders
in interfaceHeaderWriter
- Parameters:
request
- the requestresponse
- the response
-
setRequestMatcher
public void setRequestMatcher(RequestMatcher requestMatcher)
Sets theRequestMatcher
used to determine if the "Strict-Transport-Security" should be added. If true the header is added, else the header is not added. By default the header is added whenServletRequest.isSecure()
returns true.- Parameters:
requestMatcher
- theRequestMatcher
to use.- Throws:
java.lang.IllegalArgumentException
- ifRequestMatcher
is null
-
setMaxAgeInSeconds
public void setMaxAgeInSeconds(long maxAgeInSeconds)
Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. The default is one year.
This instructs browsers how long to remember to keep this domain as a known HSTS Host. See Section 6.1.1 for additional details.
- Parameters:
maxAgeInSeconds
- the maximum amount of time (in seconds) to consider this domain as a known HSTS Host.- Throws:
java.lang.IllegalArgumentException
- if maxAgeInSeconds is negative
-
setIncludeSubDomains
public void setIncludeSubDomains(boolean includeSubDomains)
If true, subdomains should be considered HSTS Hosts too. The default is true.
See Section 6.1.2 for additional details.
- Parameters:
includeSubDomains
- true to include subdomains, else false
-
setPreload
public void setPreload(boolean preload)
If true, preload will be included in HSTS Header. The default is false.
See Section 6.1.2 for additional details.
- Parameters:
preload
- true to include preload, else false- Since:
- 5.2.0
-
-