Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,
H>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using EnableWebSecurity
's default constructor.
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 0
- Since:
- 3.2
-
Nested Class Summary
Modifier and TypeClassDescriptionfinal class
final class
final class
final class
final class
final class
final class
final class
final class
Deprecated.see Certificate and Public Key Pinning for more contextfinal class
final class
final class
final class
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionaddHeaderWriter
(HeaderWriter headerWriter) Adds aHeaderWriter
instanceAllows customizing theCacheControlHeadersWriter
.cacheControl
(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer) Allows customizing theCacheControlHeadersWriter
.void
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.contentSecurityPolicy
(String policyDirectives) Allows configuration for Content Security Policy (CSP) Level 2.contentSecurityPolicy
(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer) Allows configuration for Content Security Policy (CSP) Level 2.Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:contentTypeOptions
(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer) Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:Allows configuration for Cross-Origin-Embedder-Policy header.crossOriginEmbedderPolicy
(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer) Allows configuration for Cross-Origin-Embedder-Policy header.Allows configuration for Cross-Origin-Opener-Policy header.crossOriginOpenerPolicy
(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer) Allows configuration for Cross-Origin-Opener-Policy header.Allows configuration for Cross-Origin-Resource-Policy header.crossOriginResourcePolicy
(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer) Allows configuration for Cross-Origin-Resource-Policy header.Clears all of the default headers from the response.featurePolicy
(String policyDirectives) Deprecated.UsepermissionsPolicy(Customizer)
instead.Allows customizing theXFrameOptionsHeaderWriter
.frameOptions
(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer) Allows customizing theXFrameOptionsHeaderWriter
.Deprecated.see Certificate and Public Key Pinning for more contexthttpPublicKeyPinning
(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer) Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).httpStrictTransportSecurity
(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer) Allows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).Allows configuration for Permissions Policy.permissionsPolicy
(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer) Allows configuration for Permissions Policy.Allows configuration for Referrer Policy.referrerPolicy
(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer) Allows configuration for Referrer Policy.Allows configuration for Referrer Policy.Note this is not comprehensive XSS protection!xssProtection
(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer) Note this is not comprehensive XSS protection!Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
Constructor Details
-
HeadersConfigurer
public HeadersConfigurer()Creates a new instance- See Also:
-
-
Method Details
-
addHeaderWriter
Adds aHeaderWriter
instance- Parameters:
headerWriter
- theHeaderWriter
instance to add- Returns:
- the
HeadersConfigurer
for additional customizations
-
contentTypeOptions
Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig
for additional customizations
-
contentTypeOptions
public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer) Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Parameters:
contentTypeOptionsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
xssProtection
Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriter
which adds the X-XSS-Protection header- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig
for additional customizations
-
xssProtection
public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer) Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriter
which adds the X-XSS-Protection header- Parameters:
xssCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
cacheControl
Allows customizing theCacheControlHeadersWriter
. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig
for additional customizations
-
cacheControl
public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer) Allows customizing theCacheControlHeadersWriter
. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Parameters:
cacheControlCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
httpStrictTransportSecurity
Allows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig
for additional customizations
-
httpStrictTransportSecurity
public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer) Allows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).- Parameters:
hstsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
frameOptions
Allows customizing theXFrameOptionsHeaderWriter
.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig
for additional customizations
-
frameOptions
public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer) Allows customizing theXFrameOptionsHeaderWriter
.- Parameters:
frameOptionsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
httpPublicKeyPinning
Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig
for additional customizations - Since:
- 4.1
-
httpPublicKeyPinning
@Deprecated public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer) Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).- Parameters:
hpkpCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
contentSecurityPolicy
public HeadersConfigurer<H>.ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives) Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriter
which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policyDirectives is null or empty- Since:
- 4.1
- See Also:
-
contentSecurityPolicy
public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer) Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriter
which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Parameters:
contentSecurityCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig
- Returns:
- the
HeadersConfigurer
for additional customizations - See Also:
-
defaultsDisabled
Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:http.headers().defaultsDisabled().cacheControl();
- Returns:
- the
HeadersConfigurer
for additional customization
-
configure
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>>
-
referrerPolicy
Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
Default value is:
Referrer-Policy: no-referrer
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig
for additional configuration - Since:
- 4.2
- See Also:
-
referrerPolicy
public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy) Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policy is null or empty- Since:
- 4.2
- See Also:
-
referrerPolicy
public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer) Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Parameters:
referrerPolicyCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig
- Returns:
- the
HeadersConfigurer
for additional customizations - See Also:
-
featurePolicy
Deprecated.UsepermissionsPolicy(Customizer)
instead.Allows configuration for Feature Policy.Calling this method automatically enables (includes) the
Feature-Policy
header in the response using the supplied policy directive(s).Configuration is provided to the
FeaturePolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FeaturePolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policyDirectives isnull
or empty- Since:
- 5.1
-
permissionsPolicy
Allows configuration for Permissions Policy.
Configuration is provided to the
PermissionsPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Permissions-Policy
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig
for additional configuration - Since:
- 5.5
- See Also:
-
permissionsPolicy
public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer) Allows configuration for Permissions Policy.Calling this method automatically enables (includes) the
Permissions-Policy
header in the response using the supplied policy directive(s).Configuration is provided to the
PermissionsPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policyDirectives isnull
or empty- Since:
- 5.5
- See Also:
-
crossOriginOpenerPolicy
Allows configuration for Cross-Origin-Opener-Policy header.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriter
which responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginOpenerPolicyConfig
for additional confniguration - Since:
- 5.7
- See Also:
-
crossOriginOpenerPolicy
public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer) Allows configuration for Cross-Origin-Opener-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Opener-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriter
which responsible for writing the header.- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginEmbedderPolicy
Allows configuration for Cross-Origin-Embedder-Policy header.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginEmbedderPolicyConfig
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginEmbedderPolicy
public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer) Allows configuration for Cross-Origin-Embedder-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Embedder-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginResourcePolicy
Allows configuration for Cross-Origin-Resource-Policy header.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriter
which is responsible for writing the header:- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginResourcePolicy
public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer) Allows configuration for Cross-Origin-Resource-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Resource-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriter
which is responsible for writing the header:- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-