Example 6 with HstsHeaderWriter
use of org.springframework.security.web.header.writers.HstsHeaderWriter in project spring-boot by spring-projects.
the class SpringBootWebSecurityConfiguration method configureHeaders.
public static void configureHeaders(HeadersConfigurer<?> configurer, SecurityProperties.Headers headers) throws Exception {
if (headers.getHsts() != Headers.HSTS.NONE) {
boolean includeSubDomains = headers.getHsts() == Headers.HSTS.ALL;
HstsHeaderWriter writer = new HstsHeaderWriter(includeSubDomains);
writer.setRequestMatcher(AnyRequestMatcher.INSTANCE);
configurer.addHeaderWriter(writer);
}
if (!headers.isContentType()) {
configurer.contentTypeOptions().disable();
}
if (StringUtils.hasText(headers.getContentSecurityPolicy())) {
String policyDirectives = headers.getContentSecurityPolicy();
ContentSecurityPolicyMode mode = headers.getContentSecurityPolicyMode();
if (mode == ContentSecurityPolicyMode.DEFAULT) {
configurer.contentSecurityPolicy(policyDirectives);
} else {
configurer.contentSecurityPolicy(policyDirectives).reportOnly();
}
}
if (!headers.isXss()) {
configurer.xssProtection().disable();
}
if (!headers.isCache()) {
configurer.cacheControl().disable();
}
if (!headers.isFrame()) {
configurer.frameOptions().disable();
}
}
Also used :
HstsHeaderWriter(org.springframework.security.web.header.writers.HstsHeaderWriter)
ContentSecurityPolicyMode(org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode)
Aggregations
HstsHeaderWriter (org.springframework.security.web.header.writers.HstsHeaderWriter)6
Test (org.junit.Test)4
Before (org.junit.Before)1
ContentSecurityPolicyMode (org.springframework.boot.autoconfigure.security.SecurityProperties.Headers.ContentSecurityPolicyMode)1
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)1
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)1
