SEC-2348: Update doc headers enabled by default with XML

2025-05-31 01:02:14 +00:00 · 2014-11-21 21:55:03 -06:00 · 2014-11-21 21:55:03 -06:00 · 3c487c0348
commit 3c487c0348
parent 4392205f63
2 changed files with 15 additions and 16 deletions
--- a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java
+++ b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java
@ -107,6 +107,7 @@ public class SessionManagementConfigServlet31Tests {
        loadContext("<http>\n" +
                "        <form-login/>\n" +
                "        <session-management/>\n" +
+                "        <csrf disabled='true'/>\n" +
                "    </http>" +
                XML_AUTHENTICATION_MANAGER);

@ -132,6 +133,7 @@ public class SessionManagementConfigServlet31Tests {
        loadContext("<http>\n" +
                "        <form-login/>\n" +
                "        <session-management session-fixation-protection='changeSessionId'/>\n" +
+                "        <csrf disabled='true'/>\n" +
                "    </http>" +
                XML_AUTHENTICATION_MANAGER);

--- a/docs/manual/src/asciidoc/index.adoc
+++ b/docs/manual/src/asciidoc/index.adoc
@ -3322,23 +3322,9 @@ Spring Security allows users to easily inject the default security headers to as
 * <<headers-frame-options,X-Frame-Options>>
 * <<headers-xss-protection,X-XSS-Protection>>

-While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged. For passivity reasons, if you are using Spring Security's XML namespace support, you must explicitly enable the security headers. All of the default headers can be easily added using the <<nsa-headers,<headers>>> element with no child elements:
+While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged. As of Spring Security 4.0, HTTP Security response headers are enabled by default.

-[NOTE]
-====
-https://jira.springsource.org/browse/SEC-2348[SEC-2348] is logged to ensure Spring Security 4.x's XML namespace configuration will enable Security headers by default.
-====
-
-[source,xml]
----
-<http>
-    <!-- ... -->
-
-    <headers />
-</http>
----
-
-Alternatively, you can choose to explicitly list the headers you wish to include. For example, the following is the same the previous configuration. Removing any of the elements will remove that header from the responses.
+Alternatively, you can choose to explicitly list the headers you wish to include. For example, the following is the same the default configuration. Removing any of the elements will remove that header from the responses.

 [source,xml]
 ----
@ -3355,6 +3341,17 @@ Alternatively, you can choose to explicitly list the headers you wish to include
 </http>
 ----

+If necessary, you can disable the HTTP Security response headers with the following configuration:
+
+[source,xml]
+----
+<http>
+    <!-- ... -->
+
+    <headers disabled="true" />
+</http>
+----
+
 If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

 [source,java]