SEC-2331: Include Expires: 0 in security headers documentation

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -157,6 +157,7 @@ public final class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends
      * <ul>
      * <li>Cache-Control: no-cache, no-store, max-age=0, must-revalidate</li>
      * <li>Pragma: no-cache</li>
+     * <li>Expires: 0</li>
      * </ul>
      *
      * @return the {@link HeadersConfigurer} for additional customizations

docs/manual/src/docbook/headers.xml

@@ -90,7 +90,8 @@ public class WebSecurityConfig extends
                 browser history to view the cached page. To help mitigate this Spring Security has added cache control support
                 which will insert the following headers into you response.</para>
             <programlisting><![CDATA[Cache-Control: no-cache, no-store, max-age=0, must-revalidate
-Pragma: no-cache]]></programlisting>
+Pragma: no-cache
+Expires: 0]]></programlisting>
             <para>Simply adding the <link linkend="nsa-headers">&lt;headers&gt;</link> element with no child elements will
                 automatically add Cache Control and quite a few other protections. However, if you only want cache control, you can
                 enable this feature using Spring Security's XML namespace with the

web/src/main/java/org/springframework/security/web/header/writers/CacheControlHeadersWriter.java

@@ -26,6 +26,7 @@ import org.springframework.security.web.header.Header;
  * <ul>
  * <li>Cache-Control: no-cache, no-store, max-age=0, must-revalidate</li>
  * <li>Pragma: no-cache</li>
+ * <li>Expires: 0</li>
  * </ul>
  *
  * @author Rob Winch