HttpSecurityConfiguration applies all defaults

HttpSecurity headers is off by default and relies on
HttpSecurityConfiguration to enable it. This is more consistent with the
other operators

config/src/main/java/org/springframework/security/config/annotation/web/reactive/HttpSecurityConfiguration.java

@@ -67,12 +67,12 @@ public class HttpSecurityConfiguration implements WebFluxConfigurer {
 	@Bean(HTTPSECURITY_BEAN_NAME)
 	@Scope("prototype")
 	public HttpSecurity httpSecurity() {
-		HttpSecurity http = http();
+		return http()
-		http.httpBasic();
+			.authenticationManager(authenticationManager())
-		http.formLogin();
+			.securityContextRepository(new WebSessionSecurityContextRepository())
-		http.authenticationManager(authenticationManager());
+			.headers().and()
-		http.securityContextRepository(new WebSessionSecurityContextRepository());
+			.httpBasic().and()
-		return http;
+			.formLogin().and();
 	}
 
 	private ReactiveAuthenticationManager authenticationManager() {

config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java

@@ -79,7 +79,7 @@ public class HttpSecurity {
 
 	private AuthorizeExchangeBuilder authorizeExchangeBuilder;
 
-	private HeaderBuilder headers = new HeaderBuilder();
+	private HeaderBuilder headers;
 	private HttpBasicBuilder httpBasic;
 	private FormLoginBuilder formLogin;
 
@@ -132,6 +132,9 @@ public class HttpSecurity {
 	}
 
 	public HeaderBuilder headers() {
+		if(this.headers == null) {
+			this.headers = new HeaderBuilder();
+		}
 		return this.headers;
 	}
 

config/src/test/java/org/springframework/security/config/web/server/HttpSecurityTests.java

@@ -56,7 +56,7 @@ public class HttpSecurityTests {
 
 	@Before
 	public void setup() {
-		this.http = HttpSecurity.http();
+		this.http = HttpSecurity.http().headers().and();
 	}
 
 	@Test