Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
- All Implemented Interfaces:
SecurityConfigurer<DefaultSecurityFilterChain,
H>
Adds the Security HTTP headers to the response. Security HTTP headers is activated by
default when using EnableWebSecurity
's default constructor.
The default headers include are:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Frame-Options: DENY X-XSS-Protection: 0
- Since:
- 3.2
-
Nested Class Summary
Modifier and TypeClassDescriptionfinal class
final class
final class
final class
final class
final class
final class
final class
final class
Deprecated.see Certificate and Public Key Pinning for more contextfinal class
final class
final class
final class
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionaddHeaderWriter
(HeaderWriter headerWriter) Adds aHeaderWriter
instanceDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.cacheControl
(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer) Allows customizing theCacheControlHeadersWriter
.void
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.contentSecurityPolicy
(String policyDirectives) Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.contentSecurityPolicy
(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer) Allows configuration for Content Security Policy (CSP) Level 2.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.contentTypeOptions
(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer) Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.crossOriginEmbedderPolicy
(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer) Allows configuration for Cross-Origin-Embedder-Policy header.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.crossOriginOpenerPolicy
(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer) Allows configuration for Cross-Origin-Opener-Policy header.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.crossOriginResourcePolicy
(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer) Allows configuration for Cross-Origin-Resource-Policy header.Clears all of the default headers from the response.featurePolicy
(String policyDirectives) Deprecated.For removal in 7.0.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.frameOptions
(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer) Allows customizing theXFrameOptionsHeaderWriter
.Deprecated.see Certificate and Public Key Pinning for more contexthttpPublicKeyPinning
(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer) Deprecated.see Certificate and Public Key Pinning for more contextDeprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.httpStrictTransportSecurity
(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer) Allows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.permissionsPolicy
(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer) Allows configuration for Permissions Policy.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.referrerPolicy
(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer) Allows configuration for Referrer Policy.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0.xssProtection
(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer) Note this is not comprehensive XSS protection!Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer
disable, getSecurityContextHolderStrategy, withObjectPostProcessor
Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter
addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder
-
Constructor Details
-
HeadersConfigurer
public HeadersConfigurer()Creates a new instance- See Also:
-
-
Method Details
-
addHeaderWriter
Adds aHeaderWriter
instance- Parameters:
headerWriter
- theHeaderWriter
instance to add- Returns:
- the
HeadersConfigurer
for additional customizations
-
contentTypeOptions
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.ContentTypeOptionsConfig contentTypeOptions()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsecontentTypeOptions(Customizer)
orcontentTypeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig
for additional customizations
-
contentTypeOptions
public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer) Configures theXContentTypeOptionsHeaderWriter
which inserts the X-Content-Type-Options:X-Content-Type-Options: nosniff
- Parameters:
contentTypeOptionsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
xssProtection
Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsexssProtection(Customizer)
orxssProtection(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriter
which adds the X-XSS-Protection header- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig
for additional customizations
-
xssProtection
public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer) Note this is not comprehensive XSS protection!Allows customizing the
XXssProtectionHeaderWriter
which adds the X-XSS-Protection header- Parameters:
xssCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
cacheControl
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.CacheControlConfig cacheControl()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsecacheControl(Customizer)
orcacheControl(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows customizing theCacheControlHeadersWriter
. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig
for additional customizations
-
cacheControl
public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer) Allows customizing theCacheControlHeadersWriter
. Specifically it adds the following headers:- Cache-Control: no-cache, no-store, max-age=0, must-revalidate
- Pragma: no-cache
- Expires: 0
- Parameters:
cacheControlCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
httpStrictTransportSecurity
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.HstsConfig httpStrictTransportSecurity()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsehttpStrictTransportSecurity(Customizer)
insteadAllows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig
for additional customizations
-
httpStrictTransportSecurity
public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer) Allows customizing theHstsHeaderWriter
which provides support for HTTP Strict Transport Security (HSTS).- Parameters:
hstsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
frameOptions
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.FrameOptionsConfig frameOptions()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UseframeOptions(Customizer)
orframeOptions(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows customizing theXFrameOptionsHeaderWriter
.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig
for additional customizations
-
frameOptions
public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer) Allows customizing theXFrameOptionsHeaderWriter
.- Parameters:
frameOptionsCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
httpPublicKeyPinning
Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig
for additional customizations - Since:
- 4.1
-
httpPublicKeyPinning
@Deprecated public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer) Deprecated.see Certificate and Public Key Pinning for more contextAllows customizing theHpkpHeaderWriter
which provides support for HTTP Public Key Pinning (HPKP).- Parameters:
hpkpCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig
- Returns:
- the
HeadersConfigurer
for additional customizations
-
contentSecurityPolicy
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives) Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsecontentSecurityPolicy(Customizer)
insteadAllows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriter
which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policyDirectives is null or empty- Since:
- 4.1
- See Also:
-
contentSecurityPolicy
public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer) Allows configuration for Content Security Policy (CSP) Level 2.
Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).
Configuration is provided to the
ContentSecurityPolicyHeaderWriter
which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:- Content-Security-Policy
- Content-Security-Policy-Report-Only
- Parameters:
contentSecurityCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig
- Returns:
- the
HeadersConfigurer
for additional customizations - See Also:
-
defaultsDisabled
Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:http.headers().defaultsDisabled().cacheControl();
- Returns:
- the
HeadersConfigurer
for additional customization
-
configure
Description copied from interface:SecurityConfigurer
Configure theSecurityBuilder
by setting the necessary properties on theSecurityBuilder
.- Specified by:
configure
in interfaceSecurityConfigurer<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>> - Overrides:
configure
in classSecurityConfigurerAdapter<DefaultSecurityFilterChain,
H extends HttpSecurityBuilder<H>>
-
referrerPolicy
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsereferrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
Default value is:
Referrer-Policy: no-referrer
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig
for additional configuration - Since:
- 4.2
- See Also:
-
referrerPolicy
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy) Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsereferrerPolicy(Customizer)
orreferrerPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policy is null or empty- Since:
- 4.2
- See Also:
-
referrerPolicy
public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer) Allows configuration for Referrer Policy.
Configuration is provided to the
ReferrerPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Referrer-Policy
- Parameters:
referrerPolicyCustomizer
- theCustomizer
to provide more options for theHeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig
- Returns:
- the
HeadersConfigurer
for additional customizations - See Also:
-
featurePolicy
Deprecated.For removal in 7.0. UsepermissionsPolicy(Customizer)
orpermissionsPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuration for Feature Policy.Calling this method automatically enables (includes) the
Feature-Policy
header in the response using the supplied policy directive(s).Configuration is provided to the
FeaturePolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FeaturePolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policyDirectives isnull
or empty- Since:
- 5.1
- See Also:
-
permissionsPolicy
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsepermissionsPolicy(Customizer)
orpermissionsPolicy(Customizer.withDefaults())
to stick with defaults. See the documentation for more details.Allows configuration for Permissions Policy.
Configuration is provided to the
PermissionsPolicyHeaderWriter
which support the writing of the header as detailed in the W3C Technical Report:- Permissions-Policy
- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig
for additional configuration - Since:
- 5.5
- See Also:
-
permissionsPolicy
public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer) Allows configuration for Permissions Policy.Calling this method automatically enables (includes) the
Permissions-Policy
header in the response using the supplied policy directive(s).Configuration is provided to the
PermissionsPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig
for additional configuration - Throws:
IllegalArgumentException
- if policyDirectives isnull
or empty- Since:
- 5.5
- See Also:
-
crossOriginOpenerPolicy
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsecrossOriginOpenerPolicy(Customizer)
insteadAllows configuration for Cross-Origin-Opener-Policy header.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriter
which responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginOpenerPolicyConfig
for additional confniguration - Since:
- 5.7
- See Also:
-
crossOriginOpenerPolicy
public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer) Allows configuration for Cross-Origin-Opener-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Opener-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginOpenerPolicyHeaderWriter
which responsible for writing the header.- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginEmbedderPolicy
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsecrossOriginEmbedderPolicy(Customizer)
insteadAllows configuration for Cross-Origin-Embedder-Policy header.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginEmbedderPolicyConfig
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginEmbedderPolicy
public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer) Allows configuration for Cross-Origin-Embedder-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Embedder-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginEmbedderPolicyHeaderWriter
which is responsible for writing the header.- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginResourcePolicy
@Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H>.CrossOriginResourcePolicyConfig crossOriginResourcePolicy()Deprecated, for removal: This API element is subject to removal in a future version.For removal in 7.0. UsecrossOriginResourcePolicy(Customizer)
insteadAllows configuration for Cross-Origin-Resource-Policy header.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriter
which is responsible for writing the header:- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-
crossOriginResourcePolicy
public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer) Allows configuration for Cross-Origin-Resource-Policy header.Calling this method automatically enables (includes) the
Cross-Origin-Resource-Policy
header in the response using the supplied policy.Configuration is provided to the
CrossOriginResourcePolicyHeaderWriter
which is responsible for writing the header:- Returns:
- the
HeadersConfigurer
for additional customizations - Since:
- 5.7
- See Also:
-