Constructor Detail

• GlobalHeadersConfig

  GlobalHeadersConfig()

Method Detail

• getHeaders

   final Map<String, String> getHeaders()

  The headers to add to each request.

• strictTransportSecurity

   final Unit strictTransportSecurity(Duration duration, Boolean includeSubdomains)

  Adds a Strict-Transport-Security header.

  The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. e.g.: Strict-Transport-Security: max-age=31536000 ; includeSubDomains

  Parameters:

  duration - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

  includeSubdomains - if true, this rule applies to all of the site's subdomains as well.

• xFrameOptions

   final Unit xFrameOptions(GlobalHeadersConfig.XFrameOptions xFrameOptions)

  Adds an X-Frame-Options header.

  The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

  e.g.: X-Frame-Options DENY | SAMEORIGIN

  Parameters:

  xFrameOptions - the option to use

• xFrameOptions

  @Deprecated(message = "This is an obsolete directive that no longer works in modern browsers.") final Unit xFrameOptions(String domain)

  Adds an X-Frame-Options header.

  The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

  e.g.: X-Frame-Options ALLOW-FROM origin

  Parameters:

  domain - the domain to allow

• xContentTypeOptionsNoSniff

   final Unit xContentTypeOptionsNoSniff()

  Adds a "No Sniff" X-Content-Type-Options header.

  The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should be followed and not be changed. The header allows you to avoid MIME type sniffing by saying that the MIME types are deliberately configured.

  Blocks a request if the request destination is of type style and the MIME type is not text/css, or of type script and the MIME type is not a JavaScript MIME type.

  i.e.: X-Content-Type-Options: nosniff

• contentSecurityPolicy

   final Unit contentSecurityPolicy(String contentSecurityPolicy)

  Adds the Content-Security-Policy header.

  The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).

  e.g.: Content-Security-Policy: <policy-directive>; <policy-directive>

• xPermittedCrossDomainPolicies

   final Unit xPermittedCrossDomainPolicies(GlobalHeadersConfig.CrossDomainPolicy policy)

  Adds the X-Permitted-Cross-Domain-Policies header.

  This header is used to limit which data external resources, such as Adobe Flash and PDF documents, can access on the domain. Failure to set the X-Permitted- Cross-Domain-Policies header to “none” value allows other domains to embed the application’s data in their content.

  e.g.: X-Permitted-Cross-Domain-Policies: none | master-only | by-content-type | by-ftp-filename | all

  Parameters:

  policy - the policy to use

• referrerPolicy

   final Unit referrerPolicy(GlobalHeadersConfig.ReferrerPolicy policy)

  Adds a Referrer-Policy header.

  The Referrer-Policy HTTP header controls how much referrer information (sent with the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.

  e.g.: Referrer-Policy: no-referrer

  Parameters:

  policy - the policy to use

• clearSiteData

   final Unit clearSiteData(GlobalHeadersConfig.ClearSiteData data)

  Adds a Clear-Site-Data header.

  The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored by a client browser for their origins.

  e.g.: Clear-Site-Data: "cache", "cookies"

  Parameters:

  data - a vararg list of directives about which data should be cleared

• crossOriginEmbedderPolicy

   final Unit crossOriginEmbedderPolicy(GlobalHeadersConfig.CrossOriginEmbedderPolicy policy)

  Adds a Cross-Origin-Embedder-Policy (COEP) header.

  The HTTP Cross-Origin-Embedder-Policy (COEP) response header configures embedding cross-origin resources into the document.

  e.g.: Cross-Origin-Embedder-Policy: require-corp | unsafe-none

  Parameters:

  policy - the policy to use

• crossOriginOpenerPolicy

   final Unit crossOriginOpenerPolicy(GlobalHeadersConfig.CrossOriginOpenerPolicy policy)

  Adds a Cross-Origin-Opener-Policy (COOP) header.

  The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.

  e.g.: Cross-Origin-Opener-Policy: unsafe-none | same-origin-allow-popups | same-origin`

  Parameters:

  policy - the policy to use

• crossOriginResourcePolicy

   final Unit crossOriginResourcePolicy(GlobalHeadersConfig.CrossOriginResourcePolicy policy)

  Adds a Cross-Origin Resource Policy (CORP) header.

  Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets websites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.

  e.g.: Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin

  Parameters:

  policy - the policy to use