Package org.springframework.security.config.annotation.web.configurers

Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<DefaultSecurityFilterChain,H>

public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>

Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using EnableWebSecurity's default constructor.

The default headers include are:

 Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 1; mode=block
 

Since:

3.2

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
class	HeadersConfigurer.CacheControlConfig
class	HeadersConfigurer.ContentSecurityPolicyConfig
class	HeadersConfigurer.ContentTypeOptionsConfig
class	HeadersConfigurer.CrossOriginEmbedderPolicyConfig
class	HeadersConfigurer.CrossOriginOpenerPolicyConfig
class	HeadersConfigurer.CrossOriginResourcePolicyConfig
class	HeadersConfigurer.FeaturePolicyConfig
class	HeadersConfigurer.FrameOptionsConfig
class	HeadersConfigurer.HpkpConfig
class	HeadersConfigurer.HstsConfig
class	HeadersConfigurer.PermissionsPolicyConfig
class	HeadersConfigurer.ReferrerPolicyConfig
class	HeadersConfigurer.XXssConfig

Constructor Summary

Constructors

Constructor	Description
HeadersConfigurer()	Creates a new instance

Method Summary

Modifier and Type	Method	Description
HeadersConfigurer<H>	addHeaderWriter(HeaderWriter headerWriter)	Adds a HeaderWriter instance
HeadersConfigurer.CacheControlConfig	cacheControl()	Allows customizing the CacheControlHeadersWriter.
HeadersConfigurer<H>	cacheControl(Customizer<HeadersConfigurer.CacheControlConfig> cacheControlCustomizer)	Allows customizing the CacheControlHeadersWriter.
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
HeadersConfigurer.ContentSecurityPolicyConfig	contentSecurityPolicy(java.lang.String policyDirectives)	Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer<H>	contentSecurityPolicy(Customizer<HeadersConfigurer.ContentSecurityPolicyConfig> contentSecurityCustomizer)	Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer.ContentTypeOptionsConfig	contentTypeOptions()	Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer<H>	contentTypeOptions(Customizer<HeadersConfigurer.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)	Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer.CrossOriginEmbedderPolicyConfig	crossOriginEmbedderPolicy()	Allows configuration for Cross-Origin-Embedder-Policy header.
HeadersConfigurer<H>	crossOriginEmbedderPolicy(Customizer<HeadersConfigurer.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)	Allows configuration for Cross-Origin-Embedder-Policy header.
HeadersConfigurer.CrossOriginOpenerPolicyConfig	crossOriginOpenerPolicy()	Allows configuration for Cross-Origin-Opener-Policy header.
HeadersConfigurer<H>	crossOriginOpenerPolicy(Customizer<HeadersConfigurer.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)	Allows configuration for Cross-Origin-Opener-Policy header.
HeadersConfigurer.CrossOriginResourcePolicyConfig	crossOriginResourcePolicy()	Allows configuration for Cross-Origin-Resource-Policy header.
HeadersConfigurer<H>	crossOriginResourcePolicy(Customizer<HeadersConfigurer.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)	Allows configuration for Cross-Origin-Resource-Policy header.
HeadersConfigurer<H>	defaultsDisabled()	Clears all of the default headers from the response.
HeadersConfigurer.FeaturePolicyConfig	featurePolicy(java.lang.String policyDirectives)	Deprecated. Use permissionsPolicy(Customizer) instead.
HeadersConfigurer.FrameOptionsConfig	frameOptions()	Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer<H>	frameOptions(Customizer<HeadersConfigurer.FrameOptionsConfig> frameOptionsCustomizer)	Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer.HpkpConfig	httpPublicKeyPinning()	Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).
HeadersConfigurer<H>	httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig> hpkpCustomizer)	Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).
HeadersConfigurer.HstsConfig	httpStrictTransportSecurity()	Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer<H>	httpStrictTransportSecurity(Customizer<HeadersConfigurer.HstsConfig> hstsCustomizer)	Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer.PermissionsPolicyConfig	permissionsPolicy()	Allows configuration for Permissions Policy.
HeadersConfigurer.PermissionsPolicyConfig	permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig> permissionsPolicyCustomizer)	Allows configuration for Permissions Policy.
HeadersConfigurer.ReferrerPolicyConfig	referrerPolicy()	Allows configuration for Referrer Policy.
HeadersConfigurer<H>	referrerPolicy(Customizer<HeadersConfigurer.ReferrerPolicyConfig> referrerPolicyCustomizer)	Allows configuration for Referrer Policy.
HeadersConfigurer.ReferrerPolicyConfig	referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)	Allows configuration for Referrer Policy.
HeadersConfigurer.XXssConfig	xssProtection()	Note this is not comprehensive XSS protection!
HeadersConfigurer<H>	xssProtection(Customizer<HeadersConfigurer.XXssConfig> xssCustomizer)	Note this is not comprehensive XSS protection!

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HeadersConfigurer

public HeadersConfigurer()

Creates a new instance

See Also:

HttpSecurity.headers()

Method Detail

addHeaderWriter

public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)

Adds a HeaderWriter instance

Parameters:

headerWriter - the HeaderWriter instance to add

Returns:

the HeadersConfigurer for additional customizations

contentTypeOptions

public HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Returns:

the HeadersConfigurer.ContentTypeOptionsConfig for additional customizations

contentTypeOptions

public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Parameters:

contentTypeOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer.ContentTypeOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

xssProtection

public HeadersConfigurer.XXssConfig xssProtection()

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Returns:

the HeadersConfigurer.XXssConfig for additional customizations

xssProtection

public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer.XXssConfig> xssCustomizer)

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Parameters:

xssCustomizer - the Customizer to provide more options for the HeadersConfigurer.XXssConfig

Returns:

the HeadersConfigurer for additional customizations

cacheControl

public HeadersConfigurer.CacheControlConfig cacheControl()

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Returns:

the HeadersConfigurer.CacheControlConfig for additional customizations

cacheControl

public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer.CacheControlConfig> cacheControlCustomizer)

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Parameters:

cacheControlCustomizer - the Customizer to provide more options for the HeadersConfigurer.CacheControlConfig

Returns:

the HeadersConfigurer for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer.HstsConfig httpStrictTransportSecurity()

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Returns:

the HeadersConfigurer.HstsConfig for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer.HstsConfig> hstsCustomizer)

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Parameters:

hstsCustomizer - the Customizer to provide more options for the HeadersConfigurer.HstsConfig

Returns:

the HeadersConfigurer for additional customizations

frameOptions

public HeadersConfigurer.FrameOptionsConfig frameOptions()

Allows customizing the XFrameOptionsHeaderWriter.

Returns:

the HeadersConfigurer.FrameOptionsConfig for additional customizations

frameOptions

public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer.FrameOptionsConfig> frameOptionsCustomizer)

Allows customizing the XFrameOptionsHeaderWriter.

Parameters:

frameOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer.FrameOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

httpPublicKeyPinning

public HeadersConfigurer.HpkpConfig httpPublicKeyPinning()

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Returns:

the HeadersConfigurer.HpkpConfig for additional customizations

Since:

4.1

httpPublicKeyPinning

public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig> hpkpCustomizer)

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Parameters:

hpkpCustomizer - the Customizer to provide more options for the HeadersConfigurer.HpkpConfig

Returns:

the HeadersConfigurer for additional customizations

contentSecurityPolicy

public HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(java.lang.String policyDirectives)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Returns:

the HeadersConfigurer.ContentSecurityPolicyConfig for additional configuration

Throws:

java.lang.IllegalArgumentException - if policyDirectives is null or empty

Since:

4.1

See Also:

ContentSecurityPolicyHeaderWriter

contentSecurityPolicy

public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer.ContentSecurityPolicyConfig> contentSecurityCustomizer)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Parameters:

contentSecurityCustomizer - the Customizer to provide more options for the HeadersConfigurer.ContentSecurityPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

ContentSecurityPolicyHeaderWriter

defaultsDisabled

public HeadersConfigurer<H> defaultsDisabled()

Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:

 http.headers().defaultsDisabled().cacheControl();
 

Returns:

the HeadersConfigurer for additional customization

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

referrerPolicy

public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy()

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Default value is:

 Referrer-Policy: no-referrer
 

Returns:

the HeadersConfigurer.ReferrerPolicyConfig for additional configuration

Since:

4.2

See Also:

ReferrerPolicyHeaderWriter

referrerPolicy

public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Returns:

the HeadersConfigurer.ReferrerPolicyConfig for additional configuration

Throws:

java.lang.IllegalArgumentException - if policy is null or empty

Since:

4.2

See Also:

ReferrerPolicyHeaderWriter

referrerPolicy

public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer.ReferrerPolicyConfig> referrerPolicyCustomizer)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Parameters:

referrerPolicyCustomizer - the Customizer to provide more options for the HeadersConfigurer.ReferrerPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

ReferrerPolicyHeaderWriter

featurePolicy

@Deprecated
public HeadersConfigurer.FeaturePolicyConfig featurePolicy(java.lang.String policyDirectives)

Deprecated.

Use permissionsPolicy(Customizer) instead.

Allows configuration for Feature Policy.

Calling this method automatically enables (includes) the Feature-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the FeaturePolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer.FeaturePolicyConfig for additional configuration

Throws:

java.lang.IllegalArgumentException - if policyDirectives is null or empty

Since:

5.1

permissionsPolicy

public HeadersConfigurer.PermissionsPolicyConfig permissionsPolicy()

Allows configuration for Permissions Policy.

Configuration is provided to the PermissionsPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Permissions-Policy

Returns:

the HeadersConfigurer.PermissionsPolicyConfig for additional configuration

Since:

5.5

See Also:

PermissionsPolicyHeaderWriter

permissionsPolicy

public HeadersConfigurer.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig> permissionsPolicyCustomizer)

Allows configuration for Permissions Policy.

Calling this method automatically enables (includes) the Permissions-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the PermissionsPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer.PermissionsPolicyConfig for additional configuration

Throws:

java.lang.IllegalArgumentException - if policyDirectives is null or empty

Since:

5.5

See Also:

PermissionsPolicyHeaderWriter

crossOriginOpenerPolicy

public HeadersConfigurer.CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy()

Allows configuration for Cross-Origin-Opener-Policy header.

Configuration is provided to the CrossOriginOpenerPolicyHeaderWriter which responsible for writing the header.

Returns:

the HeadersConfigurer.CrossOriginOpenerPolicyConfig for additional confniguration

Since:

5.7

See Also:

CrossOriginOpenerPolicyHeaderWriter

crossOriginOpenerPolicy

public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)

Allows configuration for Cross-Origin-Opener-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Opener-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginOpenerPolicyHeaderWriter which responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

CrossOriginOpenerPolicyHeaderWriter

crossOriginEmbedderPolicy

public HeadersConfigurer.CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy()

Allows configuration for Cross-Origin-Embedder-Policy header.

Configuration is provided to the CrossOriginEmbedderPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer.CrossOriginEmbedderPolicyConfig for additional customizations

Since:

5.7

See Also:

CrossOriginEmbedderPolicyHeaderWriter

crossOriginEmbedderPolicy

public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)

Allows configuration for Cross-Origin-Embedder-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Embedder-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginEmbedderPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

CrossOriginEmbedderPolicyHeaderWriter

crossOriginResourcePolicy

public HeadersConfigurer.CrossOriginResourcePolicyConfig crossOriginResourcePolicy()

Allows configuration for Cross-Origin-Resource-Policy header.

Configuration is provided to the CrossOriginResourcePolicyHeaderWriter which is responsible for writing the header:

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

CrossOriginResourcePolicyHeaderWriter

crossOriginResourcePolicy

public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)

Allows configuration for Cross-Origin-Resource-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Resource-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginResourcePolicyHeaderWriter which is responsible for writing the header:

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

CrossOriginResourcePolicyHeaderWriter