org.springframework.security.config.annotation.web.configurers

Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>

public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>

Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using WebSecurityConfigurerAdapter's default constructor.

The default headers include are:

 Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 1; mode=block
 

Since:

3.2

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
class	HeadersConfigurer.CacheControlConfig
class	HeadersConfigurer.ContentSecurityPolicyConfig
class	HeadersConfigurer.ContentTypeOptionsConfig
class	HeadersConfigurer.FeaturePolicyConfig
class	HeadersConfigurer.FrameOptionsConfig
class	HeadersConfigurer.HpkpConfig
class	HeadersConfigurer.HstsConfig
class	HeadersConfigurer.ReferrerPolicyConfig
class	HeadersConfigurer.XXssConfig

Constructor Summary

Constructors

Constructor and Description
HeadersConfigurer() Creates a new instance

Method Summary

Modifier and Type	Method and Description
HeadersConfigurer<H>	addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter) Adds a HeaderWriter instance
HeadersConfigurer.CacheControlConfig	cacheControl() Allows customizing the CacheControlHeadersWriter.
HeadersConfigurer<H>	cacheControl(Customizer<HeadersConfigurer.CacheControlConfig> cacheControlCustomizer) Allows customizing the CacheControlHeadersWriter.
void	configure(H http) Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
HeadersConfigurer<H>	contentSecurityPolicy(Customizer<HeadersConfigurer.ContentSecurityPolicyConfig> contentSecurityCustomizer) Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer.ContentSecurityPolicyConfig	contentSecurityPolicy(java.lang.String policyDirectives) Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer.ContentTypeOptionsConfig	contentTypeOptions() Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer<H>	contentTypeOptions(Customizer<HeadersConfigurer.ContentTypeOptionsConfig> contentTypeOptionsCustomizer) Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer<H>	defaultsDisabled() Clears all of the default headers from the response.
HeadersConfigurer.FeaturePolicyConfig	featurePolicy(java.lang.String policyDirectives) Allows configuration for Feature Policy.
HeadersConfigurer.FrameOptionsConfig	frameOptions() Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer<H>	frameOptions(Customizer<HeadersConfigurer.FrameOptionsConfig> frameOptionsCustomizer) Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer.HpkpConfig	httpPublicKeyPinning() Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).
HeadersConfigurer<H>	httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig> hpkpCustomizer) Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).
HeadersConfigurer.HstsConfig	httpStrictTransportSecurity() Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer<H>	httpStrictTransportSecurity(Customizer<HeadersConfigurer.HstsConfig> hstsCustomizer) Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer.ReferrerPolicyConfig	referrerPolicy() Allows configuration for Referrer Policy.
HeadersConfigurer<H>	referrerPolicy(Customizer<HeadersConfigurer.ReferrerPolicyConfig> referrerPolicyCustomizer) Allows configuration for Referrer Policy.
HeadersConfigurer.ReferrerPolicyConfig	referrerPolicy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy policy) Allows configuration for Referrer Policy.
HeadersConfigurer.XXssConfig	xssProtection() Note this is not comprehensive XSS protection!
HeadersConfigurer<H>	xssProtection(Customizer<HeadersConfigurer.XXssConfig> xssCustomizer) Note this is not comprehensive XSS protection!

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

HeadersConfigurer

public HeadersConfigurer()

Creates a new instance

See Also:

HttpSecurity.headers()

Method Detail

addHeaderWriter

public HeadersConfigurer<H> addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter)

Adds a HeaderWriter instance

Parameters:

headerWriter - the HeaderWriter instance to add

Returns:

the HeadersConfigurer for additional customizations

contentTypeOptions

public HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Returns:

the HeadersConfigurer.ContentTypeOptionsConfig for additional customizations

contentTypeOptions

public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Parameters:

contentTypeOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer.ContentTypeOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

xssProtection

public HeadersConfigurer.XXssConfig xssProtection()

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Returns:

the HeadersConfigurer.XXssConfig for additional customizations

xssProtection

public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer.XXssConfig> xssCustomizer)

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Parameters:

xssCustomizer - the Customizer to provide more options for the HeadersConfigurer.XXssConfig

Returns:

the HeadersConfigurer for additional customizations

cacheControl

public HeadersConfigurer.CacheControlConfig cacheControl()

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Returns:

the HeadersConfigurer.CacheControlConfig for additional customizations

cacheControl

public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer.CacheControlConfig> cacheControlCustomizer)

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Parameters:

cacheControlCustomizer - the Customizer to provide more options for the HeadersConfigurer.CacheControlConfig

Returns:

the HeadersConfigurer for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer.HstsConfig httpStrictTransportSecurity()

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Returns:

the HeadersConfigurer.HstsConfig for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer.HstsConfig> hstsCustomizer)

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Parameters:

hstsCustomizer - the Customizer to provide more options for the HeadersConfigurer.HstsConfig

Returns:

the HeadersConfigurer for additional customizations

frameOptions

public HeadersConfigurer.FrameOptionsConfig frameOptions()

Allows customizing the XFrameOptionsHeaderWriter.

Returns:

the HeadersConfigurer.FrameOptionsConfig for additional customizations

frameOptions

public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer.FrameOptionsConfig> frameOptionsCustomizer)

Allows customizing the XFrameOptionsHeaderWriter.

Parameters:

frameOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer.FrameOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

httpPublicKeyPinning

public HeadersConfigurer.HpkpConfig httpPublicKeyPinning()

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Returns:

the HeadersConfigurer.HpkpConfig for additional customizations

Since:

4.1

httpPublicKeyPinning

public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig> hpkpCustomizer)

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Parameters:

hpkpCustomizer - the Customizer to provide more options for the HeadersConfigurer.HpkpConfig

Returns:

the HeadersConfigurer for additional customizations

contentSecurityPolicy

public HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(java.lang.String policyDirectives)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Returns:

the HeadersConfigurer.ContentSecurityPolicyConfig for additional configuration

Throws:

java.lang.IllegalArgumentException - if policyDirectives is null or empty

Since:

4.1

See Also:

ContentSecurityPolicyHeaderWriter

contentSecurityPolicy

public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer.ContentSecurityPolicyConfig> contentSecurityCustomizer)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Parameters:

contentSecurityCustomizer - the Customizer to provide more options for the HeadersConfigurer.ContentSecurityPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

ContentSecurityPolicyHeaderWriter

defaultsDisabled

public HeadersConfigurer<H> defaultsDisabled()

Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:

 http.headers().defaultsDisabled().cacheControl();
 

Returns:

the HeadersConfigurer for additional customization

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

referrerPolicy

public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy()

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Default value is:

 Referrer-Policy: no-referrer
 

Returns:

the HeadersConfigurer.ReferrerPolicyConfig for additional configuration

Since:

4.2

See Also:

ReferrerPolicyHeaderWriter

referrerPolicy

public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy policy)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Returns:

the HeadersConfigurer.ReferrerPolicyConfig for additional configuration

Throws:

java.lang.IllegalArgumentException - if policy is null or empty

Since:

4.2

See Also:

ReferrerPolicyHeaderWriter

referrerPolicy

public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer.ReferrerPolicyConfig> referrerPolicyCustomizer)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Parameters:

referrerPolicyCustomizer - the Customizer to provide more options for the HeadersConfigurer.ReferrerPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

ReferrerPolicyHeaderWriter

featurePolicy

public HeadersConfigurer.FeaturePolicyConfig featurePolicy(java.lang.String policyDirectives)

Allows configuration for Feature Policy.

Calling this method automatically enables (includes) the Feature-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the FeaturePolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer.FeaturePolicyConfig for additional configuration

Throws:

java.lang.IllegalArgumentException - if policyDirectives is null or empty

Since:

5.1

See Also:

FeaturePolicyHeaderWriter