Package org.springframework.security.config.annotation.web.configurers

Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<DefaultSecurityFilterChain,H>

public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>

Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using EnableWebSecurity's default constructor.

The default headers include are:

 Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 0
 

Since:

3.2

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
final class	HeadersConfigurer.CacheControlConfig
final class	HeadersConfigurer.ContentSecurityPolicyConfig
final class	HeadersConfigurer.ContentTypeOptionsConfig
final class	HeadersConfigurer.CrossOriginEmbedderPolicyConfig
final class	HeadersConfigurer.CrossOriginOpenerPolicyConfig
final class	HeadersConfigurer.CrossOriginResourcePolicyConfig
final class	HeadersConfigurer.FeaturePolicyConfig
final class	HeadersConfigurer.FrameOptionsConfig
final class	HeadersConfigurer.HpkpConfig	Deprecated. see Certificate and Public Key Pinning for more context
final class	HeadersConfigurer.HstsConfig
final class	HeadersConfigurer.PermissionsPolicyConfig
final class	HeadersConfigurer.ReferrerPolicyConfig
final class	HeadersConfigurer.XXssConfig

Constructor Summary

Constructors

Constructor	Description
HeadersConfigurer()	Creates a new instance

Method Summary

Modifier and Type	Method	Description
HeadersConfigurer<H>	addHeaderWriter(HeaderWriter headerWriter)	Adds a HeaderWriter instance
HeadersConfigurer<H>.CacheControlConfig	cacheControl()	Allows customizing the CacheControlHeadersWriter.
HeadersConfigurer<H>	cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer)	Allows customizing the CacheControlHeadersWriter.
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
HeadersConfigurer<H>.ContentSecurityPolicyConfig	contentSecurityPolicy(String policyDirectives)	Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer<H>	contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer)	Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer<H>.ContentTypeOptionsConfig	contentTypeOptions()	Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer<H>	contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)	Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig	crossOriginEmbedderPolicy()	Allows configuration for Cross-Origin-Embedder-Policy header.
HeadersConfigurer<H>	crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)	Allows configuration for Cross-Origin-Embedder-Policy header.
HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig	crossOriginOpenerPolicy()	Allows configuration for Cross-Origin-Opener-Policy header.
HeadersConfigurer<H>	crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)	Allows configuration for Cross-Origin-Opener-Policy header.
HeadersConfigurer<H>.CrossOriginResourcePolicyConfig	crossOriginResourcePolicy()	Allows configuration for Cross-Origin-Resource-Policy header.
HeadersConfigurer<H>	crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)	Allows configuration for Cross-Origin-Resource-Policy header.
HeadersConfigurer<H>	defaultsDisabled()	Clears all of the default headers from the response.
HeadersConfigurer<H>.FeaturePolicyConfig	featurePolicy(String policyDirectives)	Deprecated. Use permissionsPolicy(Customizer) instead.
HeadersConfigurer<H>.FrameOptionsConfig	frameOptions()	Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer<H>	frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer)	Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer<H>.HpkpConfig	httpPublicKeyPinning()	Deprecated. see Certificate and Public Key Pinning for more context
HeadersConfigurer<H>	httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer)	Deprecated. see Certificate and Public Key Pinning for more context
HeadersConfigurer<H>.HstsConfig	httpStrictTransportSecurity()	Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer<H>	httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer)	Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer<H>.PermissionsPolicyConfig	permissionsPolicy()	Allows configuration for Permissions Policy.
HeadersConfigurer<H>.PermissionsPolicyConfig	permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)	Allows configuration for Permissions Policy.
HeadersConfigurer<H>.ReferrerPolicyConfig	referrerPolicy()	Allows configuration for Referrer Policy.
HeadersConfigurer<H>	referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer)	Allows configuration for Referrer Policy.
HeadersConfigurer<H>.ReferrerPolicyConfig	referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)	Allows configuration for Referrer Policy.
HeadersConfigurer<H>.XXssConfig	xssProtection()	Note this is not comprehensive XSS protection!
HeadersConfigurer<H>	xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer)	Note this is not comprehensive XSS protection!

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

HeadersConfigurer

public HeadersConfigurer()

Creates a new instance

See Also:

• HttpSecurity.headers()

Method Details

addHeaderWriter

public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)

Adds a HeaderWriter instance

Parameters:

headerWriter - the HeaderWriter instance to add

Returns:

the HeadersConfigurer for additional customizations

contentTypeOptions

public HeadersConfigurer<H>.ContentTypeOptionsConfig contentTypeOptions()

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig for additional customizations

contentTypeOptions

public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Parameters:

contentTypeOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

xssProtection

public HeadersConfigurer<H>.XXssConfig xssProtection()

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig for additional customizations

xssProtection

public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer)

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Parameters:

xssCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig

Returns:

the HeadersConfigurer for additional customizations

cacheControl

public HeadersConfigurer<H>.CacheControlConfig cacheControl()

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig for additional customizations

cacheControl

public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer)

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Parameters:

cacheControlCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig

Returns:

the HeadersConfigurer for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer<H>.HstsConfig httpStrictTransportSecurity()

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer)

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Parameters:

hstsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig

Returns:

the HeadersConfigurer for additional customizations

frameOptions

public HeadersConfigurer<H>.FrameOptionsConfig frameOptions()

Allows customizing the XFrameOptionsHeaderWriter.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig for additional customizations

frameOptions

public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer)

Allows customizing the XFrameOptionsHeaderWriter.

Parameters:

frameOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

httpPublicKeyPinning

@Deprecated
public HeadersConfigurer<H>.HpkpConfig httpPublicKeyPinning()

Deprecated.

see Certificate and Public Key Pinning for more context

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig for additional customizations

Since:

4.1

httpPublicKeyPinning

@Deprecated
public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer)

Deprecated.

see Certificate and Public Key Pinning for more context

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Parameters:

hpkpCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig

Returns:

the HeadersConfigurer for additional customizations

contentSecurityPolicy

public HeadersConfigurer<H>.ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

4.1

See Also:

• ContentSecurityPolicyHeaderWriter

contentSecurityPolicy

public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Parameters:

contentSecurityCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

• ContentSecurityPolicyHeaderWriter

defaultsDisabled

public HeadersConfigurer<H> defaultsDisabled()

Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:

 http.headers().defaultsDisabled().cacheControl();
 

Returns:

the HeadersConfigurer for additional customization

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

referrerPolicy

public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy()

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Default value is:

 Referrer-Policy: no-referrer
 

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig for additional configuration

Since:

4.2

See Also:

• ReferrerPolicyHeaderWriter

referrerPolicy

public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policy is null or empty

Since:

4.2

See Also:

• ReferrerPolicyHeaderWriter

referrerPolicy

public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Parameters:

referrerPolicyCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

• ReferrerPolicyHeaderWriter

featurePolicy

@Deprecated
public HeadersConfigurer<H>.FeaturePolicyConfig featurePolicy(String policyDirectives)

Deprecated.

Use permissionsPolicy(Customizer) instead.

Allows configuration for Feature Policy.

Calling this method automatically enables (includes) the Feature-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the FeaturePolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FeaturePolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

5.1

permissionsPolicy

public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy()

Allows configuration for Permissions Policy.

Configuration is provided to the PermissionsPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Permissions-Policy

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig for additional configuration

Since:

5.5

See Also:

• PermissionsPolicyHeaderWriter

permissionsPolicy

public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)

Allows configuration for Permissions Policy.

Calling this method automatically enables (includes) the Permissions-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the PermissionsPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

5.5

See Also:

• PermissionsPolicyHeaderWriter

crossOriginOpenerPolicy

public HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy()

Allows configuration for Cross-Origin-Opener-Policy header.

Configuration is provided to the CrossOriginOpenerPolicyHeaderWriter which responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginOpenerPolicyConfig for additional confniguration

Since:

5.7

See Also:

• CrossOriginOpenerPolicyHeaderWriter

crossOriginOpenerPolicy

public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)

Allows configuration for Cross-Origin-Opener-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Opener-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginOpenerPolicyHeaderWriter which responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginOpenerPolicyHeaderWriter

crossOriginEmbedderPolicy

public HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy()

Allows configuration for Cross-Origin-Embedder-Policy header.

Configuration is provided to the CrossOriginEmbedderPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginEmbedderPolicyConfig for additional customizations

Since:

5.7

See Also:

• CrossOriginEmbedderPolicyHeaderWriter

crossOriginEmbedderPolicy

public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)

Allows configuration for Cross-Origin-Embedder-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Embedder-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginEmbedderPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginEmbedderPolicyHeaderWriter

crossOriginResourcePolicy

public HeadersConfigurer<H>.CrossOriginResourcePolicyConfig crossOriginResourcePolicy()

Allows configuration for Cross-Origin-Resource-Policy header.

Configuration is provided to the CrossOriginResourcePolicyHeaderWriter which is responsible for writing the header:

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginResourcePolicyHeaderWriter

crossOriginResourcePolicy

public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)

Allows configuration for Cross-Origin-Resource-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Resource-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginResourcePolicyHeaderWriter which is responsible for writing the header:

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginResourcePolicyHeaderWriter