Package org.springframework.security.config.annotation.web.configurers

Class HeadersConfigurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>

org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>

All Implemented Interfaces:

SecurityConfigurer<DefaultSecurityFilterChain,H>

public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>

Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using EnableWebSecurity's default constructor.

The default headers include are:

 Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 0
 

Since:

3.2

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
final class	HeadersConfigurer.CacheControlConfig
final class	HeadersConfigurer.ContentSecurityPolicyConfig
final class	HeadersConfigurer.ContentTypeOptionsConfig
final class	HeadersConfigurer.CrossOriginEmbedderPolicyConfig
final class	HeadersConfigurer.CrossOriginOpenerPolicyConfig
final class	HeadersConfigurer.CrossOriginResourcePolicyConfig
final class	HeadersConfigurer.FeaturePolicyConfig
final class	HeadersConfigurer.FrameOptionsConfig
final class	HeadersConfigurer.HpkpConfig	Deprecated. see Certificate and Public Key Pinning for more context
final class	HeadersConfigurer.HstsConfig
final class	HeadersConfigurer.PermissionsPolicyConfig
final class	HeadersConfigurer.ReferrerPolicyConfig
final class	HeadersConfigurer.XXssConfig

Constructor Summary

Constructors

Constructor	Description
HeadersConfigurer()	Creates a new instance

Method Summary

Modifier and Type	Method	Description
HeadersConfigurer<H>	addHeaderWriter(HeaderWriter headerWriter)	Adds a HeaderWriter instance
HeadersConfigurer<H>.CacheControlConfig	cacheControl()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer)	Allows customizing the CacheControlHeadersWriter.
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
HeadersConfigurer<H>.ContentSecurityPolicyConfig	contentSecurityPolicy(String policyDirectives)	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer)	Allows configuration for Content Security Policy (CSP) Level 2.
HeadersConfigurer<H>.ContentTypeOptionsConfig	contentTypeOptions()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)	Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:
HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig	crossOriginEmbedderPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)	Allows configuration for Cross-Origin-Embedder-Policy header.
HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig	crossOriginOpenerPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)	Allows configuration for Cross-Origin-Opener-Policy header.
HeadersConfigurer<H>.CrossOriginResourcePolicyConfig	crossOriginResourcePolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)	Allows configuration for Cross-Origin-Resource-Policy header.
HeadersConfigurer<H>	defaultsDisabled()	Clears all of the default headers from the response.
HeadersConfigurer<H>.FeaturePolicyConfig	featurePolicy(String policyDirectives)	Deprecated. For removal in 7.0.
HeadersConfigurer<H>.FrameOptionsConfig	frameOptions()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer)	Allows customizing the XFrameOptionsHeaderWriter.
HeadersConfigurer<H>.HpkpConfig	httpPublicKeyPinning()	Deprecated. see Certificate and Public Key Pinning for more context
HeadersConfigurer<H>	httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer)	Deprecated. see Certificate and Public Key Pinning for more context
HeadersConfigurer<H>.HstsConfig	httpStrictTransportSecurity()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer)	Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).
HeadersConfigurer<H>.PermissionsPolicyConfig	permissionsPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>.PermissionsPolicyConfig	permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	permissionsPolicyHeader(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)	Allows configuration for Permissions Policy.
HeadersConfigurer<H>.ReferrerPolicyConfig	referrerPolicy()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer)	Allows configuration for Referrer Policy.
HeadersConfigurer<H>.ReferrerPolicyConfig	referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>.XXssConfig	xssProtection()	Deprecated, for removal: This API element is subject to removal in a future version. For removal in 7.0.
HeadersConfigurer<H>	xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer)	Note this is not comprehensive XSS protection!

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, addObjectPostProcessor, and, getBuilder, init, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

HeadersConfigurer

public HeadersConfigurer()

Creates a new instance

See Also:

• HttpSecurity.headers()

Method Details

addHeaderWriter

public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter)

Adds a HeaderWriter instance

Parameters:

headerWriter - the HeaderWriter instance to add

Returns:

the HeadersConfigurer for additional customizations

contentTypeOptions

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.ContentTypeOptionsConfig contentTypeOptions()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use contentTypeOptions(Customizer) or contentTypeOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig for additional customizations

contentTypeOptions

public HeadersConfigurer<H> contentTypeOptions(Customizer<HeadersConfigurer<H>.ContentTypeOptionsConfig> contentTypeOptionsCustomizer)

Configures the XContentTypeOptionsHeaderWriter which inserts the X-Content-Type-Options:

 X-Content-Type-Options: nosniff
 

Parameters:

contentTypeOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentTypeOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

xssProtection

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.XXssConfig xssProtection()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use xssProtection(Customizer) or xssProtection(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig for additional customizations

xssProtection

public HeadersConfigurer<H> xssProtection(Customizer<HeadersConfigurer<H>.XXssConfig> xssCustomizer)

Note this is not comprehensive XSS protection!

Allows customizing the XXssProtectionHeaderWriter which adds the X-XSS-Protection header

Parameters:

xssCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.XXssConfig

Returns:

the HeadersConfigurer for additional customizations

cacheControl

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.CacheControlConfig cacheControl()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use cacheControl(Customizer) or cacheControl(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig for additional customizations

cacheControl

public HeadersConfigurer<H> cacheControl(Customizer<HeadersConfigurer<H>.CacheControlConfig> cacheControlCustomizer)

Allows customizing the CacheControlHeadersWriter. Specifically it adds the following headers:

• Cache-Control: no-cache, no-store, max-age=0, must-revalidate
• Pragma: no-cache
• Expires: 0

Parameters:

cacheControlCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CacheControlConfig

Returns:

the HeadersConfigurer for additional customizations

httpStrictTransportSecurity

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.HstsConfig httpStrictTransportSecurity()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use httpStrictTransportSecurity(Customizer) instead

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig for additional customizations

httpStrictTransportSecurity

public HeadersConfigurer<H> httpStrictTransportSecurity(Customizer<HeadersConfigurer<H>.HstsConfig> hstsCustomizer)

Allows customizing the HstsHeaderWriter which provides support for HTTP Strict Transport Security (HSTS).

Parameters:

hstsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HstsConfig

Returns:

the HeadersConfigurer for additional customizations

frameOptions

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.FrameOptionsConfig frameOptions()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use frameOptions(Customizer) or frameOptions(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows customizing the XFrameOptionsHeaderWriter.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig for additional customizations

frameOptions

public HeadersConfigurer<H> frameOptions(Customizer<HeadersConfigurer<H>.FrameOptionsConfig> frameOptionsCustomizer)

Allows customizing the XFrameOptionsHeaderWriter.

Parameters:

frameOptionsCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FrameOptionsConfig

Returns:

the HeadersConfigurer for additional customizations

httpPublicKeyPinning

@Deprecated
public HeadersConfigurer<H>.HpkpConfig httpPublicKeyPinning()

Deprecated.

see Certificate and Public Key Pinning for more context

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig for additional customizations

Since:

4.1

httpPublicKeyPinning

@Deprecated
public HeadersConfigurer<H> httpPublicKeyPinning(Customizer<HeadersConfigurer<H>.HpkpConfig> hpkpCustomizer)

Deprecated.

see Certificate and Public Key Pinning for more context

Allows customizing the HpkpHeaderWriter which provides support for HTTP Public Key Pinning (HPKP).

Parameters:

hpkpCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.HpkpConfig

Returns:

the HeadersConfigurer for additional customizations

contentSecurityPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.ContentSecurityPolicyConfig contentSecurityPolicy(String policyDirectives)

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use contentSecurityPolicy(Customizer) instead

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

4.1

See Also:

• ContentSecurityPolicyHeaderWriter

contentSecurityPolicy

public HeadersConfigurer<H> contentSecurityPolicy(Customizer<HeadersConfigurer<H>.ContentSecurityPolicyConfig> contentSecurityCustomizer)

Allows configuration for Content Security Policy (CSP) Level 2.

Calling this method automatically enables (includes) the Content-Security-Policy header in the response using the supplied security policy directive(s).

Configuration is provided to the ContentSecurityPolicyHeaderWriter which supports the writing of the two headers as detailed in the W3C Candidate Recommendation:

• Content-Security-Policy
• Content-Security-Policy-Report-Only

Parameters:

contentSecurityCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ContentSecurityPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

• ContentSecurityPolicyHeaderWriter

defaultsDisabled

public HeadersConfigurer<H> defaultsDisabled()

Clears all of the default headers from the response. After doing so, one can add headers back. For example, if you only want to use Spring Security's cache control you can use the following:

 http.headers().defaultsDisabled().cacheControl();
 

Returns:

the HeadersConfigurer for additional customization

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

referrerPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Default value is:

 Referrer-Policy: no-referrer
 

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig for additional configuration

Since:

4.2

See Also:

• ReferrerPolicyHeaderWriter

referrerPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.ReferrerPolicyConfig referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy policy)

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use referrerPolicy(Customizer) or referrerPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policy is null or empty

Since:

4.2

See Also:

• ReferrerPolicyHeaderWriter

referrerPolicy

public HeadersConfigurer<H> referrerPolicy(Customizer<HeadersConfigurer<H>.ReferrerPolicyConfig> referrerPolicyCustomizer)

Allows configuration for Referrer Policy.

Configuration is provided to the ReferrerPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Referrer-Policy

Parameters:

referrerPolicyCustomizer - the Customizer to provide more options for the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.ReferrerPolicyConfig

Returns:

the HeadersConfigurer for additional customizations

See Also:

• ReferrerPolicyHeaderWriter

featurePolicy

@Deprecated
public HeadersConfigurer<H>.FeaturePolicyConfig featurePolicy(String policyDirectives)

Deprecated.

For removal in 7.0. Use permissionsPolicy(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows configuration for Feature Policy.

Calling this method automatically enables (includes) the Feature-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the FeaturePolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.FeaturePolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

5.1

See Also:

• FeaturePolicyHeaderWriter

permissionsPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use permissionsPolicyHeader(Customizer) or permissionsPolicy(Customizer.withDefaults()) to stick with defaults. See the documentation for more details.

Allows configuration for Permissions Policy.

Configuration is provided to the PermissionsPolicyHeaderWriter which support the writing of the header as detailed in the W3C Technical Report:

• Permissions-Policy

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig for additional configuration

Since:

5.5

See Also:

• PermissionsPolicyHeaderWriter

permissionsPolicy

@Deprecated(since="6.4",
            forRemoval=true)
public HeadersConfigurer<H>.PermissionsPolicyConfig permissionsPolicy(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use permissionsPolicyHeader(Customizer) instead

Allows configuration for Permissions Policy.

Calling this method automatically enables (includes) the Permissions-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the PermissionsPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

5.5

See Also:

• PermissionsPolicyHeaderWriter

permissionsPolicyHeader

public HeadersConfigurer<H> permissionsPolicyHeader(Customizer<HeadersConfigurer<H>.PermissionsPolicyConfig> permissionsPolicyCustomizer)

Allows configuration for Permissions Policy.

Calling this method automatically enables (includes) the Permissions-Policy header in the response using the supplied policy directive(s).

Configuration is provided to the PermissionsPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.PermissionsPolicyConfig for additional configuration

Throws:

IllegalArgumentException - if policyDirectives is null or empty

Since:

6.4

See Also:

• PermissionsPolicyHeaderWriter

crossOriginOpenerPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig crossOriginOpenerPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use crossOriginOpenerPolicy(Customizer) instead

Allows configuration for Cross-Origin-Opener-Policy header.

Configuration is provided to the CrossOriginOpenerPolicyHeaderWriter which responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginOpenerPolicyConfig for additional confniguration

Since:

5.7

See Also:

• CrossOriginOpenerPolicyHeaderWriter

crossOriginOpenerPolicy

public HeadersConfigurer<H> crossOriginOpenerPolicy(Customizer<HeadersConfigurer<H>.CrossOriginOpenerPolicyConfig> crossOriginOpenerPolicyCustomizer)

Allows configuration for Cross-Origin-Opener-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Opener-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginOpenerPolicyHeaderWriter which responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginOpenerPolicyHeaderWriter

crossOriginEmbedderPolicy

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig crossOriginEmbedderPolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use crossOriginEmbedderPolicy(Customizer) instead

Allows configuration for Cross-Origin-Embedder-Policy header.

Configuration is provided to the CrossOriginEmbedderPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer<H extends HttpSecurityBuilder<H>>.CrossOriginEmbedderPolicyConfig for additional customizations

Since:

5.7

See Also:

• CrossOriginEmbedderPolicyHeaderWriter

crossOriginEmbedderPolicy

public HeadersConfigurer<H> crossOriginEmbedderPolicy(Customizer<HeadersConfigurer<H>.CrossOriginEmbedderPolicyConfig> crossOriginEmbedderPolicyCustomizer)

Allows configuration for Cross-Origin-Embedder-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Embedder-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginEmbedderPolicyHeaderWriter which is responsible for writing the header.

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginEmbedderPolicyHeaderWriter

crossOriginResourcePolicy

@Deprecated(since="6.1",
            forRemoval=true)
public HeadersConfigurer<H>.CrossOriginResourcePolicyConfig crossOriginResourcePolicy()

Deprecated, for removal: This API element is subject to removal in a future version.

For removal in 7.0. Use crossOriginResourcePolicy(Customizer) instead

Allows configuration for Cross-Origin-Resource-Policy header.

Configuration is provided to the CrossOriginResourcePolicyHeaderWriter which is responsible for writing the header:

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginResourcePolicyHeaderWriter

crossOriginResourcePolicy

public HeadersConfigurer<H> crossOriginResourcePolicy(Customizer<HeadersConfigurer<H>.CrossOriginResourcePolicyConfig> crossOriginResourcePolicyCustomizer)

Allows configuration for Cross-Origin-Resource-Policy header.

Calling this method automatically enables (includes) the Cross-Origin-Resource-Policy header in the response using the supplied policy.

Configuration is provided to the CrossOriginResourcePolicyHeaderWriter which is responsible for writing the header:

Returns:

the HeadersConfigurer for additional customizations

Since:

5.7

See Also:

• CrossOriginResourcePolicyHeaderWriter