Class HeadersConfigurer.XXssConfig
java.lang.Object
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
- Enclosing class:
- HeadersConfigurer<H extends HttpSecurityBuilder<H>>
-
Method Summary
Modifier and TypeMethodDescriptionand()
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.disable()
Disables X-XSS-Protection header (does not include it)headerValue
(XXssProtectionHeaderWriter.HeaderValue headerValue) Sets the value of the X-XSS-PROTECTION header.
-
Method Details
-
headerValue
public HeadersConfigurer<H>.XXssConfig headerValue(XXssProtectionHeaderWriter.HeaderValue headerValue) Sets the value of the X-XSS-PROTECTION header. OWASP recommends usingXXssProtectionHeaderWriter.HeaderValue.DISABLED
. IfXXssProtectionHeaderWriter.HeaderValue.DISABLED
, will specify that X-XSS-Protection is disabled. For example:X-XSS-Protection: 0
IfXXssProtectionHeaderWriter.HeaderValue.ENABLED
, will contain a value of 1, but will not specify the mode as blocked. In this instance, any content will be attempted to be fixed. For example:X-XSS-Protection: 1
IfXXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK
, will contain a value of 1 and will specify mode as blocked. The content will be replaced with "#". For example:X-XSS-Protection: 1; mode=block
- Parameters:
headerValue
- the new header value- Since:
- 5.8
-
disable
Disables X-XSS-Protection header (does not include it)- Returns:
- the
HeadersConfigurer
for additional configuration
-
and
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseHeadersConfigurer.xssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows completing configuration of X-XSS-Protection and continuing configuration of headers.- Returns:
- the
HeadersConfigurer
for additional configuration
-