Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
- java.lang.Object
-
- org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
-
- org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>
-
- org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>
-
- All Implemented Interfaces:
SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>
public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using
EnableWebSecurity's default constructor.The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
- Since:
- 3.2
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description classHeadersConfigurer.CacheControlConfigclassHeadersConfigurer.ContentSecurityPolicyConfigclassHeadersConfigurer.ContentTypeOptionsConfigclassHeadersConfigurer.CrossOriginEmbedderPolicyConfigclassHeadersConfigurer.CrossOriginOpenerPolicyConfigclassHeadersConfigurer.CrossOriginResourcePolicyConfigclassHeadersConfigurer.FeaturePolicyConfigclassHeadersConfigurer.FrameOptionsConfigclassHeadersConfigurer.HpkpConfigDeprecated.see Certificate and Public Key Pinning for more contextclassHeadersConfigurer.HstsConfigclassHeadersConfigurer.PermissionsPolicyConfigclassHeadersConfigurer.ReferrerPolicyConfigclassHeadersConfigurer.XXssConfig
-
Constructor Summary
Constructors Constructor Description HeadersConfigurer()Creates a new instance
-
Method Summary
-
Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
-
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
-
-
-
Constructor Detail
-
HeadersConfigurer
public HeadersConfigurer()
Creates a new instance- See Also:
HttpSecurity.headers()
-
-
Method Detail
-
addHeaderWriter
public HeadersConfigurer<H> addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter)
Adds aHeaderWriterinstance- Parameters:
headerWriter- theHeaderWriterinstance to add- Returns:
- the
HeadersConfigurerfor additional customizations
-
contentTypeOptions
public HeadersConfigurer.ContentTypeOptionsConfig contentTypeOptions()
Configures theXContentTypeOptionsHeaderWriterwhich inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Returns:
- the
HeadersConfigurer.ContentTypeOptionsConfigfor additional customizations
-
contentTypeOptions
public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)
Configures theXContentTypeOptionsHeaderWriterwhich inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Parameters:
contentTypeOptionsCustomizer- theCustomizerto provide more options for theHeadersConfigurer.ContentTypeOptionsConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
xssProtection
public HeadersConfigurer.XXssConfig xssProtection()
Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriterwhich adds the X-XSS-Protection header- Returns:
- the
HeadersConfigurer.XXssConfigfor additional customizations
-
xssProtection
public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer.XXssConfig> xssCustomizer)
Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriterwhich adds the X-XSS-Protection header- Parameters:
xssCustomizer- theCustomizerto provide more options for theHeadersConfigurer.XXssConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
cacheControl
public HeadersConfigurer.CacheControlConfig cacheControl()
Allows customizing theCacheControlHeadersWriter. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Returns:
- the
HeadersConfigurer.CacheControlConfigfor additional customizations
-
cacheControl
public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer.CacheControlConfig> cacheControlCustomizer)
Allows customizing theCacheControlHeadersWriter. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Parameters:
cacheControlCustomizer- theCustomizerto provide more options for theHeadersConfigurer.CacheControlConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
httpStrictTransportSecurity
public HeadersConfigurer.HstsConfig httpStrictTransportSecurity()
Allows customizing theHstsHeaderWriterwhich provides support for HTTP Strict Transport Security (HSTS).- Returns:
- the
HeadersConfigurer.HstsConfigfor additional customizations
-
httpStrictTransportSecurity
public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer.HstsConfig> hstsCustomizer)
Allows customizing theHstsHeaderWriterwhich provides support for HTTP Strict Transport Security (HSTS).- Parameters:
hstsCustomizer- theCustomizerto provide more options for theHeadersConfigurer.HstsConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
frameOptions
public HeadersConfigurer.FrameOptionsConfig frameOptions()
Allows customizing theXFrameOptionsHeaderWriter.- Returns:
- the
HeadersConfigurer.FrameOptionsConfigfor additional customizations
-
frameOptions
public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer.FrameOptionsConfig> frameOptionsCustomizer)
Allows customizing theXFrameOptionsHeaderWriter.- Parameters:
frameOptionsCustomizer- theCustomizerto provide more options for theHeadersConfigurer.FrameOptionsConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
httpPublicKeyPinning
@Deprecated public HeadersConfigurer.HpkpConfig httpPublicKeyPinning()
Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriterwhich provides support for HTTP Public Key Pinning (HPKP).- Returns:
- the
HeadersConfigurer.HpkpConfigfor additional customizations - Since:
- 4.1
-
httpPublicKeyPinning
@Deprecated public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer.HpkpConfig> hpkpCustomizer)
Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriterwhich provides support for HTTP Public Key Pinning (HPKP).- Parameters:
hpkpCustomizer- theCustomizerto provide more options for theHeadersConfigurer.HpkpConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
contentSecurityPolicy
public HeadersConfigurer.ContentSecurityPolicyConfig contentSecurityPolicy(java.lang.String policyDirectives)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriterwhich supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Returns:
- the
HeadersConfigurer.ContentSecurityPolicyConfigfor additional configuration - Throws:
java.lang.IllegalArgumentException- if policyDirectives is null or empty- Since:
- 4.1
- See Also:
ContentSecurityPolicyHeaderWriter
-
contentSecurityPolicy
public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer.ContentSecurityPolicyConfig> contentSecurityCustomizer)
Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriterwhich supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Parameters:
contentSecurityCustomizer- theCustomizerto provide more options for theHeadersConfigurer.ContentSecurityPolicyConfig- Returns:
- the
HeadersConfigurerfor additional customizations - See Also:
ContentSecurityPolicyHeaderWriter
-
defaultsDisabled
public HeadersConfigurer<H> defaultsDisabled()
Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:http.headers().defaultsDisabled().cacheControl();
- Returns:
- the
HeadersConfigurerfor additional customization
-
configure
public void configure(H http)
Description copied from interface:SecurityConfigurerConfigure theSecurityBuilderby setting the necessary properties on theSecurityBuilder.- Specified by:
configurein interfaceSecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>- Overrides:
configurein classSecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-
referrerPolicy
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy()
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
Default value is:
Referrer-Policy: no-referrer
- Returns:
- the
HeadersConfigurer.ReferrerPolicyConfigfor additional configuration - Since:
- 4.2
- See Also:
ReferrerPolicyHeaderWriter
-
referrerPolicy
public HeadersConfigurer.ReferrerPolicyConfig referrerPolicy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy policy)
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Returns:
- the
HeadersConfigurer.ReferrerPolicyConfigfor additional configuration - Throws:
java.lang.IllegalArgumentException- if policy is null or empty- Since:
- 4.2
- See Also:
ReferrerPolicyHeaderWriter
-
referrerPolicy
public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer.ReferrerPolicyConfig> referrerPolicyCustomizer)
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Parameters:
referrerPolicyCustomizer- theCustomizerto provide more options for theHeadersConfigurer.ReferrerPolicyConfig- Returns:
- the
HeadersConfigurerfor additional customizations - See Also:
ReferrerPolicyHeaderWriter
-
featurePolicy
@Deprecated public HeadersConfigurer.FeaturePolicyConfig featurePolicy(java.lang.String policyDirectives)
Deprecated.UsepermissionsPolicy(Customizer)instead.Allows configuration for Feature Policy.Calling this method automatically enables (includes) the
Feature-Policyheader in the response using the supplied policy directive(s).Configuration is provided to the
FeaturePolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurer.FeaturePolicyConfigfor additional configuration - Throws:
java.lang.IllegalArgumentException- if policyDirectives isnullor empty- Since:
- 5.1
-
permissionsPolicy
public HeadersConfigurer.PermissionsPolicyConfig permissionsPolicy()
Allows configuration for Permissions Policy.
Configuration is provided to the
PermissionsPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Permissions-Policy
- Returns:
- the
HeadersConfigurer.PermissionsPolicyConfigfor additional configuration - Since:
- 5.5
- See Also:
PermissionsPolicyHeaderWriter
-
permissionsPolicy
public HeadersConfigurer.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer.PermissionsPolicyConfig> permissionsPolicyCustomizer)
Allows configuration for Permissions Policy.Calling this method automatically enables (includes) the
Permissions-Policyheader in the response using the supplied policy directive(s).Configuration is provided to the
PermissionsPolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurer.PermissionsPolicyConfigfor additional configuration - Throws:
java.lang.IllegalArgumentException- if policyDirectives isnullor empty- Since:
- 5.5
- See Also:
PermissionsPolicyHeaderWriter
-
crossOriginOpenerPolicy
public HeadersConfigurer.CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy()
Allows configuration for Cross-Origin-Opener-Policy header.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriterwhich responsible for writing the header.- Returns:
- the
HeadersConfigurer.CrossOriginOpenerPolicyConfigfor additional confniguration - Since:
- 5.7
- See Also:
CrossOriginOpenerPolicyHeaderWriter
-
crossOriginOpenerPolicy
public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)
Allows configuration for Cross-Origin-Opener-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Opener-Policyheader in the response using the supplied policy.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriterwhich responsible for writing the header.- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
CrossOriginOpenerPolicyHeaderWriter
-
crossOriginEmbedderPolicy
public HeadersConfigurer.CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy()
Allows configuration for Cross-Origin-Embedder-Policy header.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurer.CrossOriginEmbedderPolicyConfigfor additional customizations - Since:
- 5.7
- See Also:
CrossOriginEmbedderPolicyHeaderWriter
-
crossOriginEmbedderPolicy
public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)
Allows configuration for Cross-Origin-Embedder-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Embedder-Policyheader in the response using the supplied policy.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
CrossOriginEmbedderPolicyHeaderWriter
-
crossOriginResourcePolicy
public HeadersConfigurer.CrossOriginResourcePolicyConfig crossOriginResourcePolicy()
Allows configuration for Cross-Origin-Resource-Policy header.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriterwhich is responsible for writing the header:- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
CrossOriginResourcePolicyHeaderWriter
-
crossOriginResourcePolicy
public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)
Allows configuration for Cross-Origin-Resource-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Resource-Policyheader in the response using the supplied policy.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriterwhich is responsible for writing the header:- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
CrossOriginResourcePolicyHeaderWriter
-
-