package com.example.security; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter; @EnableWebSecurity @Configuration public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .headers() .referrerPolicy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN).and() .frameOptions().sameOrigin().and() .headers().defaultsDisabled() .contentTypeOptions().and() .httpStrictTransportSecurity() .includeSubDomains(true) .maxAgeInSeconds(31536000); } }
I have added this class but still i am not getting any given above headers in API response. I also tried by adding @EnableWebSecurity on class where all the APIs are mentioned. Given Below is the image of headers in response. Please check.
Advertisement
Answer
The possible reasons could be for the reported case are
Spring security might be not coming in the picture. Make sure you’re checking against accurate pattern (api protected by spring security)
Web server is filtering the set headers. As you’re using
Nginx
so you should check for any misconfigurations on the server.
Also,
Strict-Transport-Security
is only added on HTTPS requests, so the following will be only relevant on https.
.httpStrictTransportSecurity() .maxAgeInSeconds(31536000) .includeSubDomains(true);