Class HeadersConfigurer.HstsConfig

java.lang.Object
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.HstsConfig
Enclosing class:
HeadersConfigurer<H extends HttpSecurityBuilder<H>>

public final class HeadersConfigurer.HstsConfig extends Object
  • Method Details

    • maxAgeInSeconds

      public HeadersConfigurer<H>.HstsConfig maxAgeInSeconds(long maxAgeInSeconds)

      Sets the value (in seconds) for the max-age directive of the Strict-Transport-Security header. The default is one year.

      This instructs browsers how long to remember to keep this domain as a known HSTS Host. See Section 6.1.1 for additional details.

      Parameters:
      maxAgeInSeconds - the maximum amount of time (in seconds) to consider this domain as a known HSTS Host.
      Throws:
      IllegalArgumentException - if maxAgeInSeconds is negative
    • requestMatcher

      public HeadersConfigurer<H>.HstsConfig requestMatcher(RequestMatcher requestMatcher)
      Sets the RequestMatcher used to determine if the "Strict-Transport-Security" should be added. If true the header is added, else the header is not added. By default the header is added when ServletRequest.isSecure() returns true.
      Parameters:
      requestMatcher - the RequestMatcher to use.
      Throws:
      IllegalArgumentException - if RequestMatcher is null
    • includeSubDomains

      public HeadersConfigurer<H>.HstsConfig includeSubDomains(boolean includeSubDomains)

      If true, subdomains should be considered HSTS Hosts too. The default is true.

      See Section 6.1.2 for additional details.

      Parameters:
      includeSubDomains - true to include subdomains, else false
    • preload

      public HeadersConfigurer<H>.HstsConfig preload(boolean preload)

      If true, preload will be included in HSTS Header. The default is false.

      See Website hstspreload.org for additional details.

      Parameters:
      preload - true to include preload, else false
      Since:
      5.2.0
    • disable

      public HeadersConfigurer<H> disable()
      Disables Strict Transport Security
      Returns:
      the HeadersConfigurer for additional configuration
    • and

      @Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H> and()
      Deprecated, for removal: This API element is subject to removal in a future version.
      Allows completing configuration of Strict Transport Security and continuing configuration of headers.
      Returns:
      the HeadersConfigurer for additional configuration