How to inject default security headers with Spring Security

Question

I use Spring Security 5.1.6, and reading about security headers here;

Spring Security allows users to easily inject the default security headers to assist in protecting their application. The default for Spring Security is to include the following headers:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

but from this documentation it seems like these headers are not implicitly added, so I need to inject the default headers myself. Question is, can I do that in spring-security.xml, or must I do it in some other way?

@AK47 Seems like it doesn't, because some resources doesn't get the headers. "allows users to easily inject" sounds like one actually has to do something to me. — Lars Andren

Lars Andren Lars Andren · Accepted Answer · 2019-12-17T15:19:15

According to my understanding, the default headers are not set by default, one needs to include this in the spring-security.xml:

<security:headers/>

for whatever patterns you wish to include the default headers.
Example:

<security:http pattern="/certainpage.html" use-expressions="true" request-matcher="regex" authentication-manager-ref="authManagerLink">
        <security:http-basic/>
        <security:intercept-url pattern="/certainpage.html" access="permitAll"/>
        <security:headers/>
</security:http>

Adding only specific security headers is done like this:

<security:headers>
            <security:frame-options policy="SAMEORIGIN"/>
            <security:content-type-options disabled="false" />
            <security:xss-protection enabled="true" block="true" />
</security:headers>

I am using <spring.security.version>5.1.6.RELEASE</spring.security.version>

How to inject default security headers with Spring Security

1 Answers