Search in sources :

Example 1 with ContentSecurityPolicyMode

use of org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode in project spring-boot by spring-projects.

the class SpringBootWebSecurityConfiguration method configureHeaders.

public static void configureHeaders(HeadersConfigurer<?> configurer, SecurityProperties.Headers headers) throws Exception {
    if (headers.getHsts() != Headers.HSTS.NONE) {
        boolean includeSubDomains = headers.getHsts() == Headers.HSTS.ALL;
        HstsHeaderWriter writer = new HstsHeaderWriter(includeSubDomains);
        writer.setRequestMatcher(AnyRequestMatcher.INSTANCE);
        configurer.addHeaderWriter(writer);
    }
    if (!headers.isContentType()) {
        configurer.contentTypeOptions().disable();
    }
    if (StringUtils.hasText(headers.getContentSecurityPolicy())) {
        String policyDirectives = headers.getContentSecurityPolicy();
        ContentSecurityPolicyMode mode = headers.getContentSecurityPolicyMode();
        if (mode == ContentSecurityPolicyMode.DEFAULT) {
            configurer.contentSecurityPolicy(policyDirectives);
        } else {
            configurer.contentSecurityPolicy(policyDirectives).reportOnly();
        }
    }
    if (!headers.isXss()) {
        configurer.xssProtection().disable();
    }
    if (!headers.isCache()) {
        configurer.cacheControl().disable();
    }
    if (!headers.isFrame()) {
        configurer.frameOptions().disable();
    }
}
Also used : HstsHeaderWriter(org.springframework.security.web.header.writers.HstsHeaderWriter) ContentSecurityPolicyMode(org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode)

Aggregations

ContentSecurityPolicyMode (org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode)1 HstsHeaderWriter (org.springframework.security.web.header.writers.HstsHeaderWriter)1