Package org.springframework.security.config.web.server

Class ServerHttpSecurity.HeaderSpec

java.lang.Object

org.springframework.security.config.web.server.ServerHttpSecurity.HeaderSpec

Enclosing class:

ServerHttpSecurity

public final class ServerHttpSecurity.HeaderSpec
extends Object

Configures HTTP Response Headers.

Since:

5.0

See Also:

• ServerHttpSecurity.headers()

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
final class	ServerHttpSecurity.HeaderSpec.CacheSpec	Configures cache control headers
final class	ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec	Configures Content-Security-Policy response header.
final class	ServerHttpSecurity.HeaderSpec.ContentTypeOptionsSpec	The content type headers
final class	ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec	Configures the Cross-Origin-Embedder-Policy header
final class	ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec	Configures the Cross-Origin-Opener-Policy header
final class	ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec	Configures the Cross-Origin-Resource-Policy header
final class	ServerHttpSecurity.HeaderSpec.FeaturePolicySpec	Configures Feature-Policy response header.
final class	ServerHttpSecurity.HeaderSpec.FrameOptionsSpec	Configures frame options response header
final class	ServerHttpSecurity.HeaderSpec.HstsSpec	Configures Strict Transport Security response header
final class	ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec	Configures Permissions-Policy response header.
final class	ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec	Configures Referrer-Policy response header.
final class	ServerHttpSecurity.HeaderSpec.XssProtectionSpec	Configures x-xss-protection response header

Method Summary

Modifier and Type	Method	Description
ServerHttpSecurity	and()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec.CacheSpec	cache()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	cache(Customizer<ServerHttpSecurity.HeaderSpec.CacheSpec> cacheCustomizer)	Configures cache control headers
protected void	configure(ServerHttpSecurity http)
ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec	contentSecurityPolicy(String policyDirectives)	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	contentSecurityPolicy(Customizer<ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec> contentSecurityPolicyCustomizer)	Configures Content-Security-Policy response header.
ServerHttpSecurity.HeaderSpec.ContentTypeOptionsSpec	contentTypeOptions()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	contentTypeOptions(Customizer<ServerHttpSecurity.HeaderSpec.ContentTypeOptionsSpec> contentTypeOptionsCustomizer)	Configures content type response headers
ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec	crossOriginEmbedderPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	crossOriginEmbedderPolicy(Customizer<ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec> crossOriginEmbedderPolicyCustomizer)	Configures the Cross-Origin-Embedder-Policy header.
ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec	crossOriginOpenerPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	crossOriginOpenerPolicy(Customizer<ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec> crossOriginOpenerPolicyCustomizer)	Configures the Cross-Origin-Opener-Policy header.
ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec	crossOriginResourcePolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	crossOriginResourcePolicy(Customizer<ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec> crossOriginResourcePolicyCustomizer)	Configures the Cross-Origin-Resource-Policy header.
ServerHttpSecurity	disable()	Disables http response headers
ServerHttpSecurity.HeaderSpec.FeaturePolicySpec	featurePolicy(String policyDirectives)	Deprecated. For removal in 7.0.
ServerHttpSecurity.HeaderSpec.FrameOptionsSpec	frameOptions()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	frameOptions(Customizer<ServerHttpSecurity.HeaderSpec.FrameOptionsSpec> frameOptionsCustomizer)	Configures frame options response headers
ServerHttpSecurity.HeaderSpec.HstsSpec	hsts()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	hsts(Customizer<ServerHttpSecurity.HeaderSpec.HstsSpec> hstsCustomizer)	Configures the Strict Transport Security response headers
ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec	permissionsPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	permissionsPolicy(Customizer<ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec> permissionsPolicyCustomizer)	Configures Permissions-Policy response header.
ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec	referrerPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	referrerPolicy(Customizer<ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec> referrerPolicyCustomizer)	Configures Referrer-Policy response header.
ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec	referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy referrerPolicy)	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	writer(ServerHttpHeadersWriter serverHttpHeadersWriter)	Configures custom headers writer
ServerHttpSecurity.HeaderSpec.XssProtectionSpec	xssProtection()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
ServerHttpSecurity.HeaderSpec	xssProtection(Customizer<ServerHttpSecurity.HeaderSpec.XssProtectionSpec> xssProtectionCustomizer)	Configures x-xss-protection response header.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

and

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity and()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use ServerHttpSecurity.headers(Customizer) or headers(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows method chaining to continue configuring the ServerHttpSecurity

Returns:

the ServerHttpSecurity to continue configuring

disable

public ServerHttpSecurity disable()

Disables http response headers

Returns:

the ServerHttpSecurity to continue configuring

cache

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.CacheSpec cache()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use cache(Customizer) or cache(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Configures cache control headers

Returns:

the ServerHttpSecurity.HeaderSpec.CacheSpec to configure

cache

public ServerHttpSecurity.HeaderSpec cache(Customizer<ServerHttpSecurity.HeaderSpec.CacheSpec> cacheCustomizer)

Configures cache control headers

Parameters:

cacheCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.CacheSpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

contentTypeOptions

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.ContentTypeOptionsSpec contentTypeOptions()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use contentTypeOptions(Customizer) instead

Configures content type response headers

Returns:

the ServerHttpSecurity.HeaderSpec.ContentTypeOptionsSpec to configure

contentTypeOptions

public ServerHttpSecurity.HeaderSpec contentTypeOptions(Customizer<ServerHttpSecurity.HeaderSpec.ContentTypeOptionsSpec> contentTypeOptionsCustomizer)

Configures content type response headers

Parameters:

contentTypeOptionsCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.ContentTypeOptionsSpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

frameOptions

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.FrameOptionsSpec frameOptions()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Configures frame options response headers

Returns:

the ServerHttpSecurity.HeaderSpec.FrameOptionsSpec to configure

frameOptions

public ServerHttpSecurity.HeaderSpec frameOptions(Customizer<ServerHttpSecurity.HeaderSpec.FrameOptionsSpec> frameOptionsCustomizer)

Configures frame options response headers

Parameters:

frameOptionsCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.FrameOptionsSpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

writer

public ServerHttpSecurity.HeaderSpec writer(ServerHttpHeadersWriter serverHttpHeadersWriter)

Configures custom headers writer

Parameters:

serverHttpHeadersWriter - the ServerHttpHeadersWriter to provide custom headers writer

Returns:

the ServerHttpSecurity.HeaderSpec to customize

Since:

5.3.0

hsts

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.HstsSpec hsts()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use hsts(Customizer) or hsts(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Configures the Strict Transport Security response headers

Returns:

the ServerHttpSecurity.HeaderSpec.HstsSpec to configure

hsts

public ServerHttpSecurity.HeaderSpec hsts(Customizer<ServerHttpSecurity.HeaderSpec.HstsSpec> hstsCustomizer)

Configures the Strict Transport Security response headers

Parameters:

hstsCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.HstsSpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

configure

protected void configure(ServerHttpSecurity http)

xssProtection

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.XssProtectionSpec xssProtection()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Configures x-xss-protection response header.

Returns:

the ServerHttpSecurity.HeaderSpec.XssProtectionSpec to configure

xssProtection

public ServerHttpSecurity.HeaderSpec xssProtection(Customizer<ServerHttpSecurity.HeaderSpec.XssProtectionSpec> xssProtectionCustomizer)

Configures x-xss-protection response header.

Parameters:

xssProtectionCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.XssProtectionSpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

contentSecurityPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec contentSecurityPolicy(String policyDirectives)

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use contentSecurityPolicy(Customizer) instead.

Configures Content-Security-Policy response header.

Parameters:

policyDirectives - the policy directive(s)

Returns:

the ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec to configure

contentSecurityPolicy

public ServerHttpSecurity.HeaderSpec contentSecurityPolicy(Customizer<ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec> contentSecurityPolicyCustomizer)

Configures Content-Security-Policy response header.

Parameters:

contentSecurityPolicyCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.ContentSecurityPolicySpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

featurePolicy

@Deprecated
public ServerHttpSecurity.HeaderSpec.FeaturePolicySpec featurePolicy(String policyDirectives)

Deprecated.

For removal in 7.0. Use permissionsPolicy(Customizer) instead.

Configures Feature-Policy response header.

Parameters:

policyDirectives - the policy

Returns:

the ServerHttpSecurity.HeaderSpec.FeaturePolicySpec to configure

permissionsPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec permissionsPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use permissionsPolicy(Customizer) instead.

Configures Permissions-Policy response header.

Returns:

the ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec to configure

permissionsPolicy

public ServerHttpSecurity.HeaderSpec permissionsPolicy(Customizer<ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec> permissionsPolicyCustomizer)

Configures Permissions-Policy response header.

Parameters:

permissionsPolicyCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.PermissionsPolicySpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

referrerPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec referrerPolicy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy referrerPolicy)

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use referrerPolicy(Customizer) instead.

Configures Referrer-Policy response header.

Parameters:

referrerPolicy - the policy to use

Returns:

the ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec to configure

referrerPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec referrerPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use referrerPolicy(Customizer) instead.

Configures Referrer-Policy response header.

Returns:

the ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec to configure

referrerPolicy

public ServerHttpSecurity.HeaderSpec referrerPolicy(Customizer<ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec> referrerPolicyCustomizer)

Configures Referrer-Policy response header.

Parameters:

referrerPolicyCustomizer - the Customizer to provide more options for the ServerHttpSecurity.HeaderSpec.ReferrerPolicySpec

Returns:

the ServerHttpSecurity.HeaderSpec to customize

crossOriginOpenerPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec crossOriginOpenerPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use crossOriginOpenerPolicy(Customizer) instead.

Configures the Cross-Origin-Opener-Policy header.

Returns:

the ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec to configure

Since:

5.7

See Also:

• CrossOriginOpenerPolicyServerHttpHeadersWriter

crossOriginOpenerPolicy

public ServerHttpSecurity.HeaderSpec crossOriginOpenerPolicy(Customizer<ServerHttpSecurity.HeaderSpec.CrossOriginOpenerPolicySpec> crossOriginOpenerPolicyCustomizer)

Configures the Cross-Origin-Opener-Policy header.

Returns:

the ServerHttpSecurity.HeaderSpec to customize

Since:

5.7

See Also:

• CrossOriginOpenerPolicyServerHttpHeadersWriter

crossOriginEmbedderPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec crossOriginEmbedderPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use crossOriginEmbedderPolicy(Customizer) instead.

Configures the Cross-Origin-Embedder-Policy header.

Returns:

the ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec to configure

Since:

5.7

See Also:

• CrossOriginEmbedderPolicyServerHttpHeadersWriter

crossOriginEmbedderPolicy

public ServerHttpSecurity.HeaderSpec crossOriginEmbedderPolicy(Customizer<ServerHttpSecurity.HeaderSpec.CrossOriginEmbedderPolicySpec> crossOriginEmbedderPolicyCustomizer)

Configures the Cross-Origin-Embedder-Policy header.

Returns:

the ServerHttpSecurity.HeaderSpec to customize

Since:

5.7

See Also:

• CrossOriginEmbedderPolicyServerHttpHeadersWriter

crossOriginResourcePolicy

@Deprecated(since="6.1",
            forRemoval=true)
public ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec crossOriginResourcePolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use crossOriginResourcePolicy(Customizer) instead.

Configures the Cross-Origin-Resource-Policy header.

Returns:

the ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec to configure

Since:

5.7

See Also:

• CrossOriginResourcePolicyServerHttpHeadersWriter

crossOriginResourcePolicy

public ServerHttpSecurity.HeaderSpec crossOriginResourcePolicy(Customizer<ServerHttpSecurity.HeaderSpec.CrossOriginResourcePolicySpec> crossOriginResourcePolicyCustomizer)

Configures the Cross-Origin-Resource-Policy header.

Returns:

the ServerHttpSecurity.HeaderSpec to customize

Since:

5.7

See Also:

• CrossOriginResourcePolicyServerHttpHeadersWriter