Security headers add HTTP response headers that enhance application security including CSP, HSTS, X-Frame-Options, and more.
Interface for writing security headers to HTTP responses.
package org.springframework.security.web.header;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
public interface HeaderWriter {
/**
* Writes headers to the HTTP response.
*
* @param request the HTTP request
* @param response the HTTP response
*/
void writeHeaders(HttpServletRequest request, HttpServletResponse response);
}Filter that adds security headers to the response.
package org.springframework.security.web.header;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import java.io.IOException;
import java.util.List;
import org.springframework.web.filter.OncePerRequestFilter;
public class HeaderWriterFilter extends OncePerRequestFilter {
/**
* Creates a filter with the given header writers.
*
* @param headerWriters the list of HeaderWriter instances
*/
public HeaderWriterFilter(List<HeaderWriter> headerWriters);
protected void doFilterInternal(ServletRequest request, ServletResponse response,
FilterChain filterChain)
throws ServletException, IOException;
/**
* Sets whether to write headers eagerly before content (default: false).
*/
public void setShouldWriteHeadersEagerly(boolean shouldWriteHeadersEagerly);
}Writes cache control headers to prevent caching of secure content.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class CacheControlHeadersWriter implements HeaderWriter {
public CacheControlHeadersWriter();
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
}Writes Content-Security-Policy header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class ContentSecurityPolicyHeaderWriter implements HeaderWriter {
/**
* Creates a CSP header writer.
*
* @param policyDirectives the CSP policy directives
*/
public ContentSecurityPolicyHeaderWriter(String policyDirectives);
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
/**
* Sets whether to use report-only mode (default: false).
*/
public void setReportOnly(boolean reportOnly);
}Writes Strict-Transport-Security header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
import org.springframework.security.web.util.matcher.RequestMatcher;
public class HstsHeaderWriter implements HeaderWriter {
public static final long DEFAULT_MAX_AGE_SECONDS = 31536000L; // 1 year
/**
* Creates an HSTS header writer with default settings.
*/
public HstsHeaderWriter();
/**
* Creates an HSTS header writer with custom request matcher.
*/
public HstsHeaderWriter(RequestMatcher requestMatcher);
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
/**
* Sets the max-age directive in seconds (default: 31536000).
*/
public void setMaxAgeInSeconds(long maxAgeInSeconds);
/**
* Sets whether to include subdomains (default: true).
*/
public void setIncludeSubDomains(boolean includeSubDomains);
/**
* Sets whether to include preload directive (default: false).
*/
public void setPreload(boolean preload);
}Writes X-Frame-Options header to prevent clickjacking.
package org.springframework.security.web.header.writers.frameoptions;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class XFrameOptionsHeaderWriter implements HeaderWriter {
/**
* Creates an X-Frame-Options header writer.
*
* @param mode the frame options mode (DENY, SAMEORIGIN)
*/
public XFrameOptionsHeaderWriter(XFrameOptionsMode mode);
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
}package org.springframework.security.web.header.writers.frameoptions;
public enum XFrameOptionsMode {
/** Prevents any domain from framing the content */
DENY,
/** Only allows current site to frame the content */
SAMEORIGIN
}Writes X-Content-Type-Options: nosniff header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class XContentTypeOptionsHeaderWriter implements HeaderWriter {
public XContentTypeOptionsHeaderWriter();
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
}Writes X-XSS-Protection header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class XXssProtectionHeaderWriter implements HeaderWriter {
public XXssProtectionHeaderWriter();
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
/**
* Sets whether XSS protection is enabled (default: true).
*/
public void setEnabled(boolean enabled);
/**
* Sets whether to use block mode (default: true).
*/
public void setBlock(boolean block);
}Writes Referrer-Policy header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class ReferrerPolicyHeaderWriter implements HeaderWriter {
/**
* Creates a referrer policy header writer.
*
* @param policy the referrer policy
*/
public ReferrerPolicyHeaderWriter(ReferrerPolicy policy);
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
public enum ReferrerPolicy {
NO_REFERRER("no-referrer"),
NO_REFERRER_WHEN_DOWNGRADE("no-referrer-when-downgrade"),
SAME_ORIGIN("same-origin"),
ORIGIN("origin"),
STRICT_ORIGIN("strict-origin"),
ORIGIN_WHEN_CROSS_ORIGIN("origin-when-cross-origin"),
STRICT_ORIGIN_WHEN_CROSS_ORIGIN("strict-origin-when-cross-origin"),
UNSAFE_URL("unsafe-url");
private final String policy;
ReferrerPolicy(String policy);
public String getPolicy();
}
}Writes Permissions-Policy header (formerly Feature-Policy).
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class PermissionsPolicyHeaderWriter implements HeaderWriter {
/**
* Creates a permissions policy header writer.
*
* @param policy the permissions policy directives
*/
public PermissionsPolicyHeaderWriter(String policy);
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
}Writes Cross-Origin-Opener-Policy header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class CrossOriginOpenerPolicyHeaderWriter implements HeaderWriter {
public CrossOriginOpenerPolicyHeaderWriter(CrossOriginOpenerPolicy policy);
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
public enum CrossOriginOpenerPolicy {
UNSAFE_NONE("unsafe-none"),
SAME_ORIGIN_ALLOW_POPUPS("same-origin-allow-popups"),
SAME_ORIGIN("same-origin");
private final String policy;
CrossOriginOpenerPolicy(String policy);
public String getPolicy();
}
}Writes Cross-Origin-Embedder-Policy header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class CrossOriginEmbedderPolicyHeaderWriter implements HeaderWriter {
public CrossOriginEmbedderPolicyHeaderWriter();
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
/**
* Sets the policy (require-corp or credentialless).
*/
public void setPolicy(String policy);
}Writes Cross-Origin-Resource-Policy header.
package org.springframework.security.web.header.writers;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.web.header.HeaderWriter;
public class CrossOriginResourcePolicyHeaderWriter implements HeaderWriter {
public CrossOriginResourcePolicyHeaderWriter();
public void writeHeaders(HttpServletRequest request, HttpServletResponse response);
public void setPolicy(CrossOriginResourcePolicy policy);
public enum CrossOriginResourcePolicy {
SAME_SITE("same-site"),
SAME_ORIGIN("same-origin"),
CROSS_ORIGIN("cross-origin");
private final String policy;
CrossOriginResourcePolicy(String policy);
public String getPolicy();
}
}import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class HeadersConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.headers(headers -> headers
.frameOptions(frame -> frame.sameOrigin())
.contentSecurityPolicy(csp -> csp
.policyDirectives("default-src 'self'; script-src 'self' 'unsafe-inline'")
)
.httpStrictTransportSecurity(hsts -> hsts
.maxAgeInSeconds(31536000)
.includeSubDomains(true)
.preload(true)
)
);
return http.build();
}
}import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class CustomCspConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.headers(headers -> headers
.contentSecurityPolicy(csp -> csp
.policyDirectives(
"default-src 'self'; " +
"script-src 'self' https://cdn.example.com 'nonce-{nonce}'; " +
"style-src 'self' 'unsafe-inline'; " +
"img-src 'self' data: https:; " +
"font-src 'self' https://fonts.googleapis.com; " +
"connect-src 'self' https://api.example.com; " +
"frame-ancestors 'none'; " +
"base-uri 'self'; " +
"form-action 'self'"
)
)
);
return http.build();
}
}import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class DisableHeadersConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.headers(headers -> headers
.frameOptions(frame -> frame.disable())
.xssProtection(xss -> xss.disable())
);
return http.build();
}
}