Package org.springframework.security.config.annotation.web.configurers

Class HeadersConfigurer.XXssConfig

java.lang.Object

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig

Enclosing class:

HeadersConfigurer<H extends HttpSecurityBuilder<H>>

public final class HeadersConfigurer.XXssConfig
extends Object

Method Summary

Modifier and Type	Method	Description
HeadersConfigurer<H>	and()	Allows completing configuration of X-XSS-Protection and continuing configuration of headers.
HeadersConfigurer<H>.XXssConfig	block(boolean enabled)	Deprecated. use headerValue(XXssProtectionHeaderWriter.HeaderValue) instead
HeadersConfigurer<H>	disable()	Disables X-XSS-Protection header (does not include it)
HeadersConfigurer<H>.XXssConfig	headerValue(XXssProtectionHeaderWriter.HeaderValue headerValue)	Sets the value of the X-XSS-PROTECTION header.
HeadersConfigurer<H>.XXssConfig	xssProtectionEnabled(boolean enabled)	Deprecated. use headerValue(XXssProtectionHeaderWriter.HeaderValue) instead

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

block

@Deprecated
public HeadersConfigurer<H>.XXssConfig block(boolean enabled)

Deprecated.

use headerValue(XXssProtectionHeaderWriter.HeaderValue) instead

If false, will not specify the mode as blocked. In this instance, any content will be attempted to be fixed. If true, the content will be replaced with "#".

Parameters:

enabled - the new value

xssProtectionEnabled

@Deprecated
public HeadersConfigurer<H>.XXssConfig xssProtectionEnabled(boolean enabled)

Deprecated.

use headerValue(XXssProtectionHeaderWriter.HeaderValue) instead

If true, the header value will contain a value of 1. For example:

 X-XSS-Protection: 1
 

or if XXssProtectionHeaderWriter.setBlock(boolean) of the given XXssProtectionHeaderWriter is true

 X-XSS-Protection: 1; mode=block
 

If false, will explicitly disable specify that X-XSS-Protection is disabled. For example:

 X-XSS-Protection: 0
 

Parameters:

enabled - the new value

headerValue

public HeadersConfigurer<H>.XXssConfig headerValue(XXssProtectionHeaderWriter.HeaderValue headerValue)

Sets the value of the X-XSS-PROTECTION header. OWASP recommends using XXssProtectionHeaderWriter.HeaderValue.DISABLED. If XXssProtectionHeaderWriter.HeaderValue.DISABLED, will specify that X-XSS-Protection is disabled. For example:

 X-XSS-Protection: 0
 

If XXssProtectionHeaderWriter.HeaderValue.ENABLED, will contain a value of 1, but will not specify the mode as blocked. In this instance, any content will be attempted to be fixed. For example:

 X-XSS-Protection: 1
 

If XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK, will contain a value of 1 and will specify mode as blocked. The content will be replaced with "#". For example:

 X-XSS-Protection: 1; mode=block
 

Parameters:

headerValue - the new header value

Since:

5.8

disable

public HeadersConfigurer<H> disable()

Disables X-XSS-Protection header (does not include it)

Returns:

the HeadersConfigurer for additional configuration

and

public HeadersConfigurer<H> and()

Allows completing configuration of X-XSS-Protection and continuing configuration of headers.

Returns:

the HeadersConfigurer for additional configuration