Package org.springframework.security.config.annotation.web.configurers

Class HeadersConfigurer.HstsConfig

java.lang.Object

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig

Enclosing class:

HeadersConfigurer<H extends HttpSecurityBuilder<H>>

public final class HeadersConfigurer.HstsConfig
extends Object

Method Summary

Modifier and Type	Method	Description
HeadersConfigurer<H>	and()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	disable()	Disables Strict Transport Security
HeadersConfigurer<H>.HstsConfig	includeSubDomains(boolean includeSubDomains)	If true, subdomains should be considered HSTS Hosts too.
HeadersConfigurer<H>.HstsConfig	maxAgeInSeconds(long maxAgeInSeconds)	Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header.
HeadersConfigurer<H>.HstsConfig	preload(boolean preload)	If true, preload will be included in HSTS Header.
HeadersConfigurer<H>.HstsConfig	requestMatcher(RequestMatcher requestMatcher)	Sets the RequestMatcher used to determine if the "Strict-Transport-Security" should be added.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

maxAgeInSeconds

public HeadersConfigurer<H>.HstsConfig maxAgeInSeconds(long maxAgeInSeconds)

Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. The default is one year.

This instructs browsers how long to remember to keep this domain as a known HSTS Host. See Section 6.1.1 for additional details.

Parameters:

maxAgeInSeconds - the maximum amount of time (in seconds) to consider this domain as a known HSTS Host.

Throws:

IllegalArgumentException - if maxAgeInSeconds is negative

requestMatcher

public HeadersConfigurer<H>.HstsConfig requestMatcher(RequestMatcher requestMatcher)

Sets the RequestMatcher used to determine if the "Strict-Transport-Security" should be added. If true the header is added, else the header is not added. By default the header is added when ServletRequest.isSecure() returns true.

Parameters:

requestMatcher - the RequestMatcher to use.

Throws:

IllegalArgumentException - if RequestMatcher is null

includeSubDomains

public HeadersConfigurer<H>.HstsConfig includeSubDomains(boolean includeSubDomains)

If true, subdomains should be considered HSTS Hosts too. The default is true.

See Section 6.1.2 for additional details.

Parameters:

includeSubDomains - true to include subdomains, else false

preload

public HeadersConfigurer<H>.HstsConfig preload(boolean preload)

If true, preload will be included in HSTS Header. The default is false.

See Website hstspreload.org for additional details.

Parameters:

preload - true to include preload, else false

Since:

5.2.0

disable

public HeadersConfigurer<H> disable()

Disables Strict Transport Security

Returns:

the HeadersConfigurer for additional configuration

and

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H> and()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use HeadersConfigurer.httpStrictTransportSecurity(Customizer) instead

Allows completing configuration of Strict Transport Security and continuing configuration of headers.

Returns:

the HeadersConfigurer for additional configuration