Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>
- All Implemented Interfaces:
SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>
public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using EnableWebSecurity's default constructor.
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 0
- Since:
- 3.2
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionfinal classfinal classfinal classfinal classfinal classfinal classfinal classfinal classfinal classDeprecated.see Certificate and Public Key Pinning for more contextfinal classfinal classfinal classfinal class -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionaddHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter) Adds aHeaderWriterinstanceAllows customizing theCacheControlHeadersWriter.cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer) Allows customizing theCacheControlHeadersWriter.voidConfigure theSecurityBuilderby setting the necessary properties on theSecurityBuilder.contentSecurityPolicy(String policyDirectives) Allows configuration for Content Security Policy (CSP) Level 2.contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer) Allows configuration for Content Security Policy (CSP) Level 2.Configures theXContentTypeOptionsHeaderWriterwhich inserts the X-Content-Type-Options:contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer) Configures theXContentTypeOptionsHeaderWriterwhich inserts the X-Content-Type-Options:Allows configuration for Cross-Origin-Embedder-Policy header.crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer) Allows configuration for Cross-Origin-Embedder-Policy header.Allows configuration for Cross-Origin-Opener-Policy header.crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer) Allows configuration for Cross-Origin-Opener-Policy header.Allows configuration for Cross-Origin-Resource-Policy header.crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer) Allows configuration for Cross-Origin-Resource-Policy header.Clears all of the default headers from the response.featurePolicy(String policyDirectives) Deprecated.UsepermissionsPolicy(Customizer)instead.Allows customizing theXFrameOptionsHeaderWriter.frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer) Allows customizing theXFrameOptionsHeaderWriter.Deprecated.see Certificate and Public Key Pinning for more contexthttpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer) Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHstsHeaderWriterwhich provides support for HTTP Strict Transport Security (HSTS).httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer) Allows customizing theHstsHeaderWriterwhich provides support for HTTP Strict Transport Security (HSTS).Allows configuration for Permissions Policy.permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer) Allows configuration for Permissions Policy.Allows configuration for Referrer Policy.referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer) Allows configuration for Referrer Policy.referrerPolicy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy policy) Allows configuration for Referrer Policy.Note this is not comprehensive XSS protection!xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer) Note this is not comprehensive XSS protection!Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessorMethods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
Constructor Details
-
HeadersConfigurer
public HeadersConfigurer()Creates a new instance- See Also:
-
-
Method Details
-
addHeaderWriter
public HeadersConfigurer<H> addHeaderWriter(org.springframework.security.web.header.HeaderWriter headerWriter) Adds aHeaderWriterinstance- Parameters:
headerWriter- theHeaderWriterinstance to add- Returns:
- the
HeadersConfigurerfor additional customizations
-
contentTypeOptions
Configures theXContentTypeOptionsHeaderWriterwhich inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfigfor additional customizations
-
contentTypeOptions
public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer) Configures theXContentTypeOptionsHeaderWriterwhich inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Parameters:
contentTypeOptionsCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
xssProtection
Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriterwhich adds the X-XSS-Protection header- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfigfor additional customizations
-
xssProtection
public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer) Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriterwhich adds the X-XSS-Protection header- Parameters:
xssCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
cacheControl
Allows customizing theCacheControlHeadersWriter. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfigfor additional customizations
-
cacheControl
public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer) Allows customizing theCacheControlHeadersWriter. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Parameters:
cacheControlCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
httpStrictTransportSecurity
Allows customizing theHstsHeaderWriterwhich provides support for HTTP Strict Transport Security (HSTS).- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfigfor additional customizations
-
httpStrictTransportSecurity
public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer) Allows customizing theHstsHeaderWriterwhich provides support for HTTP Strict Transport Security (HSTS).- Parameters:
hstsCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
frameOptions
Allows customizing theXFrameOptionsHeaderWriter.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfigfor additional customizations
-
frameOptions
public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer) Allows customizing theXFrameOptionsHeaderWriter.- Parameters:
frameOptionsCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
httpPublicKeyPinning
Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriterwhich provides support for HTTP Public Key Pinning (HPKP).- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfigfor additional customizations - Since:
- 4.1
-
httpPublicKeyPinning
@Deprecated public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer) Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriterwhich provides support for HTTP Public Key Pinning (HPKP).- Parameters:
hpkpCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig- Returns:
- the
HeadersConfigurerfor additional customizations
-
contentSecurityPolicy
public HeadersConfigurer<H>.ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives) Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriterwhich supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfigfor additional configuration - Throws:
IllegalArgumentException- if policyDirectives is null or empty- Since:
- 4.1
- See Also:
-
ContentSecurityPolicyHeaderWriter
-
contentSecurityPolicy
public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer) Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriterwhich supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Parameters:
contentSecurityCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig- Returns:
- the
HeadersConfigurerfor additional customizations - See Also:
-
ContentSecurityPolicyHeaderWriter
-
defaultsDisabled
Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:http.headers().defaultsDisabled().cacheControl();
- Returns:
- the
HeadersConfigurerfor additional customization
-
configure
Description copied from interface:SecurityConfigurerConfigure theSecurityBuilderby setting the necessary properties on theSecurityBuilder.- Specified by:
configurein interfaceSecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>> - Overrides:
configurein classSecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>
-
referrerPolicy
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
Default value is:
Referrer-Policy: no-referrer
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfigfor additional configuration - Since:
- 4.2
- See Also:
-
ReferrerPolicyHeaderWriter
-
referrerPolicy
public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy(org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy policy) Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfigfor additional configuration - Throws:
IllegalArgumentException- if policy is null or empty- Since:
- 4.2
- See Also:
-
ReferrerPolicyHeaderWriter
-
referrerPolicy
public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer) Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Parameters:
referrerPolicyCustomizer- theCustomizerto provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig- Returns:
- the
HeadersConfigurerfor additional customizations - See Also:
-
ReferrerPolicyHeaderWriter
-
featurePolicy
Deprecated.UsepermissionsPolicy(Customizer)instead.Allows configuration for Feature Policy.Calling this method automatically enables (includes) the
Feature-Policyheader in the response using the supplied policy directive(s).Configuration is provided to the
FeaturePolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FeaturePolicyConfigfor additional configuration - Throws:
IllegalArgumentException- if policyDirectives isnullor empty- Since:
- 5.1
-
permissionsPolicy
Allows configuration for Permissions Policy.
Configuration is provided to the
PermissionsPolicyHeaderWriterwhich support the writing of the header as detailed in the W3C Technical Report:- Permissions-Policy
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfigfor additional configuration - Since:
- 5.5
- See Also:
-
PermissionsPolicyHeaderWriter
-
permissionsPolicy
public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer) Allows configuration for Permissions Policy.Calling this method automatically enables (includes) the
Permissions-Policyheader in the response using the supplied policy directive(s).Configuration is provided to the
PermissionsPolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfigfor additional configuration - Throws:
IllegalArgumentException- if policyDirectives isnullor empty- Since:
- 5.5
- See Also:
-
PermissionsPolicyHeaderWriter
-
crossOriginOpenerPolicy
Allows configuration for Cross-Origin-Opener-Policy header.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriterwhich responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginOpenerPolicyConfigfor additional confniguration - Since:
- 5.7
- See Also:
-
CrossOriginOpenerPolicyHeaderWriter
-
crossOriginOpenerPolicy
public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer) Allows configuration for Cross-Origin-Opener-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Opener-Policyheader in the response using the supplied policy.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriterwhich responsible for writing the header.- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
-
CrossOriginOpenerPolicyHeaderWriter
-
crossOriginEmbedderPolicy
Allows configuration for Cross-Origin-Embedder-Policy header.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginEmbedderPolicyConfigfor additional customizations - Since:
- 5.7
- See Also:
-
CrossOriginEmbedderPolicyHeaderWriter
-
crossOriginEmbedderPolicy
public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer) Allows configuration for Cross-Origin-Embedder-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Embedder-Policyheader in the response using the supplied policy.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriterwhich is responsible for writing the header.- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
-
CrossOriginEmbedderPolicyHeaderWriter
-
crossOriginResourcePolicy
Allows configuration for Cross-Origin-Resource-Policy header.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriterwhich is responsible for writing the header:- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
-
CrossOriginResourcePolicyHeaderWriter
-
crossOriginResourcePolicy
public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer) Allows configuration for Cross-Origin-Resource-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Resource-Policyheader in the response using the supplied policy.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriterwhich is responsible for writing the header:- Returns:
- the
HeadersConfigurerfor additional customizations - Since:
- 5.7
- See Also:
-
CrossOriginResourcePolicyHeaderWriter
-