Package org.springframework.security.config.annotation.web.configurers

Class HeadersConfigurer.XXssConfig

java.lang.Object
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.XXssConfig
Enclosing class:
HeadersConfigurer<H extends HttpSecurityBuilder<H>>
public final class HeadersConfigurer.XXssConfig extends Object

  • Method Details

    • headerValue

      public HeadersConfigurer<H>.XXssConfig headerValue(org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.HeaderValue headerValue)
      Sets the value of the X-XSS-PROTECTION header. OWASP recommends using XXssProtectionHeaderWriter.HeaderValue.DISABLED. If XXssProtectionHeaderWriter.HeaderValue.DISABLED, will specify that X-XSS-Protection is disabled. For example: 
       X-XSS-Protection: 0
      If XXssProtectionHeaderWriter.HeaderValue.ENABLED, will contain a value of 1, but will not specify the mode as blocked. In this instance, any content will be attempted to be fixed. For example: 
       X-XSS-Protection: 1
      If XXssProtectionHeaderWriter.HeaderValue.ENABLED_MODE_BLOCK, will contain a value of 1 and will specify mode as blocked. The content will be replaced with "#". For example: 
       X-XSS-Protection: 1 ; mode=block
      Parameters:
      headerValue - the new header value
      Since:
      5.8

    • disable

      public HeadersConfigurer<H> disable()
      Disables X-XSS-Protection header (does not include it)
      Returns:
      the HeadersConfigurer for additional configuration

    • and

      @Deprecated(since="6.1", forRemoval=true) public HeadersConfigurer<H> and()
      Deprecated, for removal: This API element is subject to removal in a future version.
      For removal in 7.0. Use HeadersConfigurer.xssProtection(Customizer) instead
      Allows completing configuration of X-XSS-Protection and continuing configuration of headers.
      Returns:
      the HeadersConfigurer for additional configuration