Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
- java.lang.Object
-
- org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>
-
- org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>
-
- org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>
-
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,H>
public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using
EnableWebSecurity
's default constructor.The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
- Since:
- 3.2
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description class
HeadersConfigurer.CacheControlConfig
class
HeadersConfigurer.ContentSecurityPolicyConfig
class
HeadersConfigurer.ContentTypeOptionsConfig
class
HeadersConfigurer.CrossOriginEmbedderPolicyConfig
class
HeadersConfigurer.CrossOriginOpenerPolicyConfig
class
HeadersConfigurer.CrossOriginResourcePolicyConfig
class
HeadersConfigurer.FeaturePolicyConfig
class
HeadersConfigurer.FrameOptionsConfig
class
HeadersConfigurer.HpkpConfig
Deprecated.see Certificate and Public Key Pinning for more contextclass
HeadersConfigurer.HstsConfig
class
HeadersConfigurer.PermissionsPolicyConfig
class
HeadersConfigurer.ReferrerPolicyConfig
class
HeadersConfigurer.XXssConfig
-
Constructor Summary
Constructors Constructor Description HeadersConfigurer()
Creates a new instance
-
Method Summary
-
Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
-
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
-
-
-
Constructor Detail
-
HeadersConfigurer
public HeadersConfigurer()
Creates a new instance- See Also:
HttpSecurity.headers()
-
-
Method Detail
-
addHeaderWriter
public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)
Adds aHeaderWriter
instance- Parameters:
headerWriter
- theHeaderWriter
instance to add- Returns:
- the
HeadersConfigurer
for additional customizations
-
contentTypeOptions
public HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()
Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Returns:
- the
HeadersConfigurer.ContentTypeOptionsConfig
for additional customizations
-
contentTypeOptions
public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)
Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Parameters:
contentTypeOptionsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.ContentTypeOptionsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
xssProtection
public HeadersConfigurer.XXssConfig xssProtection()
Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriter
which adds the X-XSS-Protection header- Returns:
- the
HeadersConfigurer.XXssConfig
for additional customizations
-
xssProtection
public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer.XXssConfig> xssCustomizer)
Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriter
which adds the X-XSS-Protection header- Parameters:
xssCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.XXssConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
cacheControl
public HeadersConfigurer.CacheControlConfig cacheControl()
Allows customizing theCacheControlHeadersWriter
. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Returns:
- the
HeadersConfigurer.CacheControlConfig
for additional customizations
-
cacheControl
public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer.CacheControlConfig> cacheControlCustomizer)
Allows customizing theCacheControlHeadersWriter
. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Parameters:
cacheControlCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.CacheControlConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
httpStrictTransportSecurity
public HeadersConfigurer.HstsConfig httpStrictTransportSecurity()
Allows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).- Returns:
- the
HeadersConfigurer.HstsConfig
for additional customizations
-
httpStrictTransportSecurity
public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer.HstsConfig> hstsCustomizer)
Allows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).- Parameters:
hstsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.HstsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
frameOptions
public HeadersConfigurer.FrameOptionsConfig frameOptions()
Allows customizing theXFrameOptionsHeaderWriter
.- Returns:
- the
HeadersConfigurer.FrameOptionsConfig
for additional customizations
-
frameOptions
public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer.FrameOptionsConfig> frameOptionsCustomizer)
Allows customizing theXFrameOptionsHeaderWriter
.- Parameters:
frameOptionsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.FrameOptionsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
httpPublicKeyPinning
@Deprecated public HeadersConfigurer.HpkpConfig httpPublicKeyPinning()
Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).- Returns:
- the
HeadersConfigurer.HpkpConfig
for additional customizations - Since:
- 4.1
-
httpPublicKeyPinning
@Deprecated public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig> hpkpCustomizer)
Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).- Parameters:
hpkpCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.HpkpConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
contentSecurityPolicy
public HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(java.lang.String policyDirectives)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriter
which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Returns:
- the
HeadersConfigurer.ContentSecurityPolicyConfig
for additional configuration - Throws:
java.lang.IllegalArgumentException
- if policyDirectives is null or empty- Since:
- 4.1
- See Also:
ContentSecurityPolicyHeaderWriter
-
contentSecurityPolicy
public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer.ContentSecurityPolicyConfig> contentSecurityCustomizer)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriter
which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Parameters:
contentSecurityCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.ContentSecurityPolicyConfig
- Returns:
- the
HeadersConfigurer
for additional customizations - See Also:
ContentSecurityPolicyHeaderWriter
-
defaultsDisabled
public HeadersConfigurer<H> defaultsDisabled()
Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:http.headers().defaultsDisabled().cacheControl();
- Returns:
- the
HeadersConfigurer
for additional customization
-
configure
public void configure(H http)
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
- Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-
referrerPolicy
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy()
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
Default value is:
Referrer-Policy: no-referrer
- Returns:
- the
HeadersConfigurer.ReferrerPolicyConfig
for additional configuration - Since:
- 4.2
- See Also:
ReferrerPolicyHeaderWriter
-
referrerPolicy
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Returns:
- the
HeadersConfigurer.ReferrerPolicyConfig
for additional configuration - Throws:
java.lang.IllegalArgumentException
- if policy is null or empty- Since:
- 4.2
- See Also:
ReferrerPolicyHeaderWriter
-
referrerPolicy
public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer.ReferrerPolicyConfig> referrerPolicyCustomizer)
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Parameters:
referrerPolicyCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer.ReferrerPolicyConfig
- Returns:
- the
HeadersConfigurer
for additional customizations - See Also:
ReferrerPolicyHeaderWriter
-
featurePolicy
@Deprecated public HeadersConfigurer.FeaturePolicyConfig featurePolicy(java.lang.String policyDirectives)
Deprecated.UsepermissionsPolicy(Customizer)
instead.Allows configuration for Feature Policy.Calling this method automatically enables (includes) the
Feature-Policy
header in the response using the supplied policy directive(s).Configuration is provided to the
FeaturePolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer.FeaturePolicyConfig
for additional configuration - Throws:
java.lang.IllegalArgumentException
- if policyDirectives isnull
or empty- Since:
- 5.1
-
permissionsPolicy
public HeadersConfigurer.PermissionsPolicyConfig permissionsPolicy()
Allows configuration for Permissions Policy.
Configuration is provided to the
PermissionsPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Permissions-Policy
- Returns:
- the
HeadersConfigurer.PermissionsPolicyConfig
for additional configuration - Since:
- 5.5
- See Also:
PermissionsPolicyHeaderWriter
-
permissionsPolicy
public HeadersConfigurer.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig> permissionsPolicyCustomizer)
Allows configuration for Permissions Policy.Calling this method automatically enables (includes) the
Permissions-Policy
header in the response using the supplied policy directive(s).Configuration is provided to the
PermissionsPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer.PermissionsPolicyConfig
for additional configuration - Throws:
java.lang.IllegalArgumentException
- if policyDirectives isnull
or empty- Since:
- 5.5
- See Also:
PermissionsPolicyHeaderWriter
-
crossOriginOpenerPolicy
public HeadersConfigurer.CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy()
Allows configuration for Cross-Origin-Opener-Policy header.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriter
which responsible for writing the header.- Returns:
- the
HeadersConfigurer.CrossOriginOpenerPolicyConfig
for additional confniguration - Since:
- 5.7
- See Also:
CrossOriginOpenerPolicyHeaderWriter
-
crossOriginOpenerPolicy
public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)
Allows configuration for Cross-Origin-Opener-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Opener-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriter
which responsible for writing the header.- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
CrossOriginOpenerPolicyHeaderWriter
-
crossOriginEmbedderPolicy
public HeadersConfigurer.CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy()
Allows configuration for Cross-Origin-Embedder-Policy header.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer.CrossOriginEmbedderPolicyConfig
for additional customizations - Since:
- 5.7
- See Also:
CrossOriginEmbedderPolicyHeaderWriter
-
crossOriginEmbedderPolicy
public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)
Allows configuration for Cross-Origin-Embedder-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Embedder-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
CrossOriginEmbedderPolicyHeaderWriter
-
crossOriginResourcePolicy
public HeadersConfigurer.CrossOriginResourcePolicyConfig crossOriginResourcePolicy()
Allows configuration for Cross-Origin-Resource-Policy header.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriter
which is responsible for writing the header:- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
CrossOriginResourcePolicyHeaderWriter
-
crossOriginResourcePolicy
public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)
Allows configuration for Cross-Origin-Resource-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Resource-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriter
which is responsible for writing the header:- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
CrossOriginResourcePolicyHeaderWriter
-
-