1
votes

I am using Spring Security and Spring Oauth2 and JWT in my API project
The default API in order to login which Spring oauth 2 provided, is /oauth/token

This API always adds "Strict-Transport-Security: max-age=31536000 ; includeSubDomains" header to the response. But I don't want this in my situation. And I have removed HSTS with the below source code.

@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        // ...
        .headers()
            .httpStrictTransportSecurity().disable();
    }
}

With above code, APIs I defined is removed HSTS in header. But the default API /oauth/token still return HSTS in header. Is there any way to do this ? Please help.

Thanks, Tin

1

1 Answers

1
votes

I just ran into the same issue. The best solution I found is writing a filter that prevents others from setting the HSTS header in general.

@Component
@Order(value = Ordered.HIGHEST_PRECEDENCE)
public class HstsHeaderPreventionFilter implements Filter {

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {

    }

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        chain.doFilter(request, new HttpServletResponseWrapper((HttpServletResponse) response) {
            public void setHeader(String name, String value) {
                if (!name.equalsIgnoreCase("Strict-Transport-Security")) {
                    super.setHeader(name, value);
                }
            }
        });
    }

    @Override
    public void destroy() {

    }

}