java.lang.Object
org.springframework.security.config.annotation.SecurityConfigurerAdapter<org.springframework.security.web.DefaultSecurityFilterChain,B>
org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<HeadersConfigurer<H>,H>
org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<H>
All Implemented Interfaces:
SecurityConfigurer<org.springframework.security.web.DefaultSecurityFilterChain,H>

public class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<HeadersConfigurer<H>,H>

Adds the Security HTTP headers to the response. Security HTTP headers is activated by default when using EnableWebSecurity's default constructor.

The default headers include are:

 Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 Pragma: no-cache
 Expires: 0
 X-Content-Type-Options: nosniff
 Strict-Transport-Security: max-age=31536000 ; includeSubDomains
 X-Frame-Options: DENY
 X-XSS-Protection: 0
 
Since:
3.2