Class GlobalHeadersConfig
-
- All Implemented Interfaces:
public final class GlobalHeadersConfig
The Configuration for the GlobalHeadersPlugin.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description public enum
GlobalHeadersConfig.XFrameOptions
X-Frame-Options policy
public enum
GlobalHeadersConfig.CrossDomainPolicy
X-Permitted-Cross-Domain-Policies
public enum
GlobalHeadersConfig.ReferrerPolicy
Referrer-Policy
public enum
GlobalHeadersConfig.ClearSiteData
Directive for the Clear-Site-Data header.
public enum
GlobalHeadersConfig.CrossOriginEmbedderPolicy
Cross-Origin-Embedder-Policy
public enum
GlobalHeadersConfig.CrossOriginOpenerPolicy
Cross-Origin-Opener-Policy
public enum
GlobalHeadersConfig.CrossOriginResourcePolicy
Cross-Origin Resource Policy
-
Constructor Summary
Constructors Constructor Description GlobalHeadersConfig()
-
Method Summary
Modifier and Type Method Description final Map<String, String>
getHeaders()
The headers to add to each request. final Unit
strictTransportSecurity(Duration duration, Boolean includeSubdomains)
Adds a Strict-Transport-Security header. final Unit
xFrameOptions(GlobalHeadersConfig.XFrameOptions xFrameOptions)
Adds an X-Frame-Options header. final Unit
xFrameOptions(String domain)
Adds an X-Frame-Options header. final Unit
xContentTypeOptionsNoSniff()
Adds a "No Sniff" X-Content-Type-Options header. final Unit
contentSecurityPolicy(String contentSecurityPolicy)
Adds the Content-Security-Policy header. final Unit
xPermittedCrossDomainPolicies(GlobalHeadersConfig.CrossDomainPolicy policy)
Adds the X-Permitted-Cross-Domain-Policies header. final Unit
referrerPolicy(GlobalHeadersConfig.ReferrerPolicy policy)
Adds a Referrer-Policy header. final Unit
clearSiteData(GlobalHeadersConfig.ClearSiteData data)
Adds a Clear-Site-Data header. final Unit
crossOriginEmbedderPolicy(GlobalHeadersConfig.CrossOriginEmbedderPolicy policy)
Adds a Cross-Origin-Embedder-Policy (COEP) header. final Unit
crossOriginOpenerPolicy(GlobalHeadersConfig.CrossOriginOpenerPolicy policy)
Adds a Cross-Origin-Opener-Policy (COOP) header. final Unit
crossOriginResourcePolicy(GlobalHeadersConfig.CrossOriginResourcePolicy policy)
Adds a Cross-Origin Resource Policy (CORP) header. -
-
Method Detail
-
getHeaders
final Map<String, String> getHeaders()
The headers to add to each request.
-
strictTransportSecurity
final Unit strictTransportSecurity(Duration duration, Boolean includeSubdomains)
Adds a Strict-Transport-Security header.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. e.g.:
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
- Parameters:
duration
- The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.includeSubdomains
- if true, this rule applies to all of the site's subdomains as well.
-
xFrameOptions
final Unit xFrameOptions(GlobalHeadersConfig.XFrameOptions xFrameOptions)
Adds an X-Frame-Options header.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
e.g.:
X-Frame-Options DENY | SAMEORIGIN
- Parameters:
xFrameOptions
- the option to use
-
xFrameOptions
@Deprecated(message = "This is an obsolete directive that no longer works in modern browsers.") final Unit xFrameOptions(String domain)
Adds an X-Frame-Options header.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
e.g.:
X-Frame-Options ALLOW-FROM origin
- Parameters:
domain
- the domain to allow
-
xContentTypeOptionsNoSniff
final Unit xContentTypeOptionsNoSniff()
Adds a "No Sniff" X-Content-Type-Options header.
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.
Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME type.
i.e.:
X-Content-Type-Options: nosniff
-
contentSecurityPolicy
final Unit contentSecurityPolicy(String contentSecurityPolicy)
Adds the Content-Security-Policy header.
The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).
e.g.:
Content-Security-Policy: <policy-directive>; <policy-directive>
-
xPermittedCrossDomainPolicies
final Unit xPermittedCrossDomainPolicies(GlobalHeadersConfig.CrossDomainPolicy policy)
Adds the X-Permitted-Cross-Domain-Policies header.
This header is used to limit which data external resources, such as Adobe Flash and PDF documents, can access on the domain. Failure to set the X-Permitted- Cross-Domain-Policies header to “none” value allows other domains to embed the application’s data in their content.
e.g.:
X-Permitted-Cross-Domain-Policies: none | master-only | by-content-type | by-ftp-filename | all
- Parameters:
policy
- the policy to use
-
referrerPolicy
final Unit referrerPolicy(GlobalHeadersConfig.ReferrerPolicy policy)
Adds a Referrer-Policy header.
The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.
e.g.:
Referrer-Policy: no-referrer
- Parameters:
policy
- the policy to use
-
clearSiteData
final Unit clearSiteData(GlobalHeadersConfig.ClearSiteData data)
Adds a Clear-Site-Data header.
The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored by a client browser for their origins.
e.g.:
Clear-Site-Data: "cache", "cookies"
- Parameters:
data
- a vararg list of directives about which data should be cleared
-
crossOriginEmbedderPolicy
final Unit crossOriginEmbedderPolicy(GlobalHeadersConfig.CrossOriginEmbedderPolicy policy)
Adds a Cross-Origin-Embedder-Policy (COEP) header.
The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures embedding cross-origin resources into the document.
e.g.:
Cross-Origin-Embedder-Policy: require-corp | unsafe-none
- Parameters:
policy
- the policy to use
-
crossOriginOpenerPolicy
final Unit crossOriginOpenerPolicy(GlobalHeadersConfig.CrossOriginOpenerPolicy policy)
Adds a Cross-Origin-Opener-Policy (COOP) header.
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
e.g.: Cross-Origin-Opener-Policy: unsafe-none | same-origin-allow-popups | same-origin`
- Parameters:
policy
- the policy to use
-
crossOriginResourcePolicy
final Unit crossOriginResourcePolicy(GlobalHeadersConfig.CrossOriginResourcePolicy policy)
Adds a Cross-Origin Resource Policy (CORP) header.
Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets websites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.
e.g.:
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
- Parameters:
policy
- the policy to use
-
-
-
-