SEC-2230: Add Header JavaConfig

Added JavaConfig for Headers. In the process, more HeaderWriter instances
were added so that we can reuse logic between the XML and JavaConfig. This
also prompted repackaging the writers.

config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterComparator.java

@@ -36,6 +36,7 @@ import org.springframework.security.web.authentication.ui.DefaultLoginPageViewFi
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.authentication.www.DigestAuthenticationFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
+import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.security.web.jaasapi.JaasApiIntegrationFilter;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
@@ -63,6 +64,8 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
         order += STEP;
         put(SecurityContextPersistenceFilter.class, order);
         order += STEP;
+        put(HeaderWriterFilter.class, order);
+        order += STEP;
         put(LogoutFilter.class, order);
         order += STEP;
         put(X509AuthenticationFilter.class, order);

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -41,6 +41,7 @@ import org.springframework.security.config.annotation.web.configurers.ChannelSec
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.config.annotation.web.configurers.HttpBasicConfigurer;
 import org.springframework.security.config.annotation.web.configurers.JeeConfigurer;
 import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
@@ -239,6 +240,10 @@ public final class HttpSecurity extends AbstractConfiguredSecurityBuilder<Defaul
         return getOrApply(new OpenIDLoginConfigurer<HttpSecurity>());
     }
 
+    public HeadersConfigurer<HttpSecurity> headers() throws Exception {
+        return getOrApply(new HeadersConfigurer<HttpSecurity>());
+    }
+
     /**
      * Allows configuring of Session Management.
      *

config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurerAdapter.java

@@ -155,6 +155,7 @@ public abstract class WebSecurityConfigurerAdapter implements SecurityConfigurer
         if(!disableDefaults) {
             http
                 .exceptionHandling().and()
+                .headers().and()
                 .sessionManagement().and()
                 .securityContext().and()
                 .requestCache().and()

config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java

@@ -0,0 +1,98 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.header.HeaderWriter;
+import org.springframework.security.web.header.HeaderWriterFilter;
+import org.springframework.security.web.header.writers.CacheControlHeadersWriter;
+import org.springframework.security.web.header.writers.HstsHeaderWriter;
+import org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
+import org.springframework.util.Assert;
+
+/**
+ * @author Rob Winch
+ * @since 3.2
+ * @see RememberMeConfigurer
+ */
+public final class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<H> {
+    private List<HeaderWriter> headerWriters = new ArrayList<HeaderWriter>();
+
+    /**
+     * Creates a new instance
+     * @see HttpSecurity#headers()
+     */
+    public HeadersConfigurer() {
+    }
+
+    /**
+     * Adds a {@link HeaderWriter} instance
+     * @param headerWriter the {@link HeaderWriter} instance to add
+     * @return the {@link HeadersConfigurer} for additional customizations
+     */
+    public HeadersConfigurer<H> addHeaderWriter(HeaderWriter headerWriter) {
+        Assert.notNull(headerWriter, "headerWriter cannot be null");
+        this.headerWriters.add(headerWriter);
+        return this;
+    }
+
+    @Override
+    public void configure(H http) throws Exception {
+        HeaderWriterFilter headersFilter = createHeaderWriterFilter();
+        http.addFilter(headersFilter);
+    }
+
+    /**
+     * Creates the {@link HeaderWriter}
+     * @return the {@link HeaderWriter}
+     */
+    private HeaderWriterFilter createHeaderWriterFilter() {
+        HeaderWriterFilter headersFilter = new HeaderWriterFilter(getHeaderWriters());
+        headersFilter = postProcess(headersFilter);
+        return headersFilter;
+    }
+
+    /**
+     * Gets the {@link HeaderWriter} instances and possibly initializes with the defaults.
+     * @return
+     */
+    private List<HeaderWriter> getHeaderWriters() {
+        if(headerWriters.isEmpty()) {
+            addDefaultHeaderWriters();
+        }
+        return headerWriters;
+    }
+
+    /**
+     * Explicitly adds the default {@link HeaderWriter} instances. If no,
+     * {@link HeaderWriter} instances have been added this is automatically
+     * invoked.
+     *
+     */
+    private void addDefaultHeaderWriters() {
+        headerWriters.add(new XContentTypeOptionsHeaderWriter());
+        headerWriters.add(new XXssProtectionHeaderWriter());
+        headerWriters.add(new CacheControlHeadersWriter());
+        headerWriters.add(new HstsHeaderWriter());
+        headerWriters.add(new XFrameOptionsHeaderWriter());
+    }
+}

config/src/main/java/org/springframework/security/config/http/HeadersBeanDefinitionParser.java

@@ -27,15 +27,17 @@ import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.ManagedList;
 import org.springframework.beans.factory.xml.BeanDefinitionParser;
 import org.springframework.beans.factory.xml.ParserContext;
-import org.springframework.security.web.headers.Header;
+import org.springframework.security.web.header.HeaderWriterFilter;
-import org.springframework.security.web.headers.HeadersFilter;
+import org.springframework.security.web.header.writers.CacheControlHeadersWriter;
-import org.springframework.security.web.headers.HstsHeaderWriter;
+import org.springframework.security.web.header.writers.HstsHeaderWriter;
-import org.springframework.security.web.headers.StaticHeadersWriter;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
-import org.springframework.security.web.headers.frameoptions.AbstractRequestParameterAllowFromStrategy;
+import org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter;
-import org.springframework.security.web.headers.frameoptions.RegExpAllowFromStrategy;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter;
-import org.springframework.security.web.headers.frameoptions.StaticAllowFromStrategy;
+import org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy;
-import org.springframework.security.web.headers.frameoptions.WhiteListedAllowFromStrategy;
+import org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy;
-import org.springframework.security.web.headers.frameoptions.XFrameOptionsHeaderWriter;
+import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
+import org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy;
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
 import org.springframework.util.StringUtils;
 import org.springframework.util.xml.DomUtils;
 import org.w3c.dom.Element;
@@ -72,16 +74,13 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
     private static final String FRAME_OPTIONS_ELEMENT = "frame-options";
     private static final String GENERIC_HEADER_ELEMENT = "header";
 
-    private static final String XSS_PROTECTION_HEADER = "X-XSS-Protection";
-    private static final String CONTENT_TYPE_OPTIONS_HEADER = "X-Content-Type-Options";
-
     private static final String ALLOW_FROM = "ALLOW-FROM";
 
     private ManagedList<BeanMetadataElement> headerWriters;
 
     public BeanDefinition parse(Element element, ParserContext parserContext) {
         headerWriters = new ManagedList<BeanMetadataElement>();
-        BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(HeadersFilter.class);
+        BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(HeaderWriterFilter.class);
 
         parseCacheControlElement(element);
         parseHstsElement(element);
@@ -100,9 +99,7 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
             frameOptions.addConstructorArgValue("DENY");
             headerWriters.add(frameOptions.getBeanDefinition());
 
-            BeanDefinitionBuilder xss = BeanDefinitionBuilder.genericBeanDefinition(StaticHeadersWriter.class);
+            BeanDefinitionBuilder xss = BeanDefinitionBuilder.genericBeanDefinition(XXssProtectionHeaderWriter.class);
-            xss.addConstructorArgValue(XSS_PROTECTION_HEADER);
-            xss.addConstructorArgValue("1; mode=block");
             headerWriters.add(xss.getBeanDefinition());
         }
         builder.addConstructorArgValue(headerWriters);
@@ -117,28 +114,7 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
     }
 
     private void addCacheControl() {
-        ManagedList<BeanDefinition> headers = new ManagedList<BeanDefinition>();
+        BeanDefinitionBuilder headersWriter = BeanDefinitionBuilder.genericBeanDefinition(CacheControlHeadersWriter.class);
-
-        BeanDefinitionBuilder pragmaHeader = BeanDefinitionBuilder.genericBeanDefinition(Header.class);
-        pragmaHeader.addConstructorArgValue("Pragma");
-        ManagedList<String> pragmaValues = new ManagedList<String>();
-        pragmaValues.add("no-cache");
-        pragmaHeader.addConstructorArgValue(pragmaValues);
-        headers.add(pragmaHeader.getBeanDefinition());
-
-        BeanDefinitionBuilder cacheControlHeader = BeanDefinitionBuilder.genericBeanDefinition(Header.class);
-        cacheControlHeader.addConstructorArgValue("Cache-Control");
-        ManagedList<String> cacheControlValues = new ManagedList<String>();
-        cacheControlValues.add("no-cache");
-        cacheControlValues.add("no-store");
-        cacheControlValues.add("max-age=0");
-        cacheControlValues.add("must-revalidate");
-        cacheControlHeader.addConstructorArgValue(cacheControlValues);
-        headers.add(cacheControlHeader.getBeanDefinition());
-
-        BeanDefinitionBuilder headersWriter = BeanDefinitionBuilder.genericBeanDefinition(StaticHeadersWriter.class);
-        headersWriter.addConstructorArgValue(headers);
-
         headerWriters.add(headersWriter.getBeanDefinition());
     }
 
@@ -191,9 +167,7 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
     }
 
     private void addContentTypeOptions() {
-        BeanDefinitionBuilder builder = BeanDefinitionBuilder.genericBeanDefinition(StaticHeadersWriter.class);
+        BeanDefinitionBuilder builder = BeanDefinitionBuilder.genericBeanDefinition(XContentTypeOptionsHeaderWriter.class);
-        builder.addConstructorArgValue(CONTENT_TYPE_OPTIONS_HEADER);
-        builder.addConstructorArgValue("nosniff");
         headerWriters.add(builder.getBeanDefinition());
     }
 
@@ -256,18 +230,16 @@ public class HeadersBeanDefinitionParser implements BeanDefinitionParser {
     private void parseXssElement(Element element, ParserContext parserContext) {
         Element xssElt = DomUtils.getChildElementByTagName(element, XSS_ELEMENT);
         if (xssElt != null) {
-            boolean enabled = Boolean.valueOf(getAttribute(xssElt, ATT_ENABLED, "true"));
+            String enabled = xssElt.getAttribute(ATT_ENABLED);
-            boolean block = Boolean.valueOf(getAttribute(xssElt, ATT_BLOCK, enabled ? "true" : "false"));
+            String block = xssElt.getAttribute(ATT_BLOCK);
 
-            String value = enabled ? "1" : "0";
+            BeanDefinitionBuilder builder = BeanDefinitionBuilder.genericBeanDefinition(XXssProtectionHeaderWriter.class);
-            if (enabled && block) {
+            if(StringUtils.hasText(enabled)) {
-                value += "; mode=block";
+                builder.addPropertyValue("enabled", enabled);
-            } else if (!enabled && block) {
+            }
-                parserContext.getReaderContext().error("<xss-protection enabled=\"false\"/> does not allow block=\"true\".", xssElt);
+            if(StringUtils.hasText(block)) {
+                builder.addPropertyValue("block", block);
             }
-            BeanDefinitionBuilder builder = BeanDefinitionBuilder.genericBeanDefinition(StaticHeadersWriter.class);
-            builder.addConstructorArgValue(XSS_PROTECTION_HEADER);
-            builder.addConstructorArgValue(value);
             headerWriters.add(builder.getBeanDefinition());
         }
     }

config/src/test/groovy/org/springframework/security/config/annotation/BaseSpringSpec.groovy

@@ -84,6 +84,14 @@ abstract class BaseSpringSpec extends Specification {
         context.getBean("springSecurityFilterChain",Filter.class)
     }
 
+    def getResponseHeaders() {
+        def headers = [:]
+        response.headerNames.each { name ->
+            headers.put(name, response.getHeaderValues(name).join(','))
+        }
+        return headers
+    }
+
     AuthenticationManager authenticationManager() {
         context.getBean(AuthenticationManager)
     }

config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy

@@ -66,6 +66,39 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
             authenticationManager.messages.messageSource instanceof ApplicationContext
     }
 
+    def "headers are populated by default"() {
+        setup: "load config that overrides http and accepts defaults"
+            loadConfig(HeadersArePopulatedByDefaultConfig)
+            request.secure = true
+        when: "invoke the springSecurityFilterChain"
+            springSecurityFilterChain.doFilter(request, response, chain)
+        then: "the default headers are added"
+            responseHeaders == ['X-Content-Type-Options':'nosniff',
+                         'X-Frame-Options':'DENY',
+                         'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
+                         'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+                         'Pragma':'no-cache',
+                         'X-XSS-Protection' : '1; mode=block']
+    }
+
+    @EnableWebSecurity
+    @Configuration
+    static class HeadersArePopulatedByDefaultConfig extends WebSecurityConfigurerAdapter {
+
+        @Override
+        protected void registerAuthentication(AuthenticationManagerBuilder auth)
+                throws Exception {
+            auth
+                .inMemoryAuthentication()
+                    .withUser("user").password("password").roles("USER")
+        }
+
+        @Override
+        protected void configure(HttpSecurity http) throws Exception {
+
+        }
+    }
+
     def "AuthenticationEventPublisher is registered for Web registerAuthentication"() {
         when:
             loadConfig(InMemoryAuthWithWebSecurityConfigurerAdapter)

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.groovy

@@ -23,12 +23,12 @@ import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
 import org.springframework.security.config.annotation.BaseSpringSpec
-import org.springframework.security.config.annotation.web.WebSecurityConfigurer;
+import org.springframework.security.config.annotation.web.WebSecurityConfigurer
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity
-import org.springframework.security.config.annotation.web.configuration.BaseWebConfig;
+import org.springframework.security.config.annotation.web.configuration.BaseWebConfig
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 import org.springframework.security.web.DefaultSecurityFilterChain
 import org.springframework.security.web.FilterChainProxy
 import org.springframework.security.web.access.ExceptionTranslationFilter
@@ -37,9 +37,10 @@ import org.springframework.security.web.authentication.AnonymousAuthenticationFi
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
 import org.springframework.security.web.authentication.logout.LogoutFilter
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
+import org.springframework.security.web.header.HeaderWriterFilter
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
-import org.springframework.security.web.session.SessionManagementFilter;
+import org.springframework.security.web.session.SessionManagementFilter
 import org.springframework.security.web.util.AnyRequestMatcher
 
 /**
@@ -113,7 +114,7 @@ class DefaultFiltersTests extends BaseSpringSpec {
         filterChains[0].filters.empty
         filterChains[1].requestMatcher instanceof AnyRequestMatcher
         filterChains[1].filters.collect { it.class } ==
-                [SecurityContextPersistenceFilter, LogoutFilter, RequestCacheAwareFilter,
+                [SecurityContextPersistenceFilter, HeaderWriterFilter, LogoutFilter, RequestCacheAwareFilter,
                  SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter,
                  ExceptionTranslationFilter, FilterSecurityInterceptor ]
     }

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.groovy

@@ -40,6 +40,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
 import org.springframework.security.web.authentication.logout.LogoutFilter
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
+import org.springframework.security.web.header.HeaderWriterFilter
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter
 import org.springframework.security.web.session.SessionManagementFilter
@@ -62,7 +63,7 @@ class FormLoginConfigurerTests extends BaseSpringSpec {
             filterChains[0].filters.empty
             filterChains[1].requestMatcher instanceof AnyRequestMatcher
             filterChains[1].filters.collect { it.class.name.contains('$') ? it.class.superclass : it.class } ==
-                    [SecurityContextPersistenceFilter, LogoutFilter, UsernamePasswordAuthenticationFilter,
+                    [SecurityContextPersistenceFilter, HeaderWriterFilter, LogoutFilter, UsernamePasswordAuthenticationFilter,
                      RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter,
                      AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, FilterSecurityInterceptor ]
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.groovy

@@ -0,0 +1,248 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers;
+
+import org.springframework.context.annotation.Configuration
+import org.springframework.security.config.annotation.BaseSpringSpec
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.config.annotation.web.configuration.BaseWebConfig
+import org.springframework.security.web.header.writers.CacheControlHeadersWriter
+import org.springframework.security.web.header.writers.HstsHeaderWriter
+import org.springframework.security.web.header.writers.StaticHeadersWriter
+import org.springframework.security.web.header.writers.XContentTypeOptionsHeaderWriter
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter
+import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode
+import org.springframework.security.web.util.AnyRequestMatcher
+
+/**
+ * Tests to verify that all the functionality of <headers> attributes is present
+ *
+ * @author Rob Winch
+ *
+ */
+public class NamespaceHttpHeadersTests extends BaseSpringSpec {
+    def "http/headers"() {
+        setup:
+            loadConfig(HeadersDefaultConfig)
+            request.secure = true
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['X-Content-Type-Options':'nosniff',
+                'X-Frame-Options':'DENY',
+                'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
+                'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+                'Pragma':'no-cache',
+                'X-XSS-Protection' : '1; mode=block']
+    }
+
+    @Configuration
+    static class HeadersDefaultConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+        }
+    }
+
+    def "http/headers/cache-control"() {
+        setup:
+            loadConfig(HeadersCacheControlConfig)
+            request.secure = true
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
+                'Pragma':'no-cache']
+    }
+
+    @Configuration
+    static class HeadersCacheControlConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    .addHeaderWriter(new CacheControlHeadersWriter())
+        }
+    }
+
+    def "http/headers/hsts"() {
+        setup:
+            loadConfig(HstsConfig)
+            request.secure = true
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains']
+    }
+
+    @Configuration
+    static class HstsConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    .addHeaderWriter(new HstsHeaderWriter())
+        }
+    }
+
+    def "http/headers/hsts custom"() {
+        setup:
+            loadConfig(HstsCustomConfig)
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['Strict-Transport-Security': 'max-age=15768000']
+    }
+
+    @Configuration
+    static class HstsCustomConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    // hsts@request-matcher-ref, hsts@max-age-seconds, hsts@include-subdomains
+                    // Additional Constructors are provided to leverage default values
+                    .addHeaderWriter(new HstsHeaderWriter(new AnyRequestMatcher(), 15768000, false))
+        }
+    }
+
+    def "http/headers/frame-options@policy=SAMEORIGIN"() {
+        setup:
+            loadConfig(FrameOptionsSameOriginConfig)
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['X-Frame-Options': 'SAMEORIGIN']
+    }
+
+    @Configuration
+    static class FrameOptionsSameOriginConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    // frame-options@policy=SAMEORIGIN
+                    .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
+        }
+    }
+
+    // frame-options@strategy, frame-options@value, frame-options@parameter are not provided instead use frame-options@ref
+
+    def "http/headers/frame-options"() {
+        setup:
+            loadConfig(FrameOptionsAllowFromConfig)
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['X-Frame-Options': 'ALLOW-FROM https://example.com']
+    }
+
+
+    @Configuration
+    static class FrameOptionsAllowFromConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    // frame-options@ref
+                    .addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(new URI("https://example.com"))))
+        }
+    }
+
+    def "http/headers/xss-protection"() {
+        setup:
+            loadConfig(XssProtectionConfig)
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['X-XSS-Protection': '1; mode=block']
+    }
+
+    @Configuration
+    static class XssProtectionConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    // xss-protection
+                    .addHeaderWriter(new XXssProtectionHeaderWriter())
+        }
+    }
+
+    def "http/headers/xss-protection custom"() {
+        setup:
+            loadConfig(XssProtectionCustomConfig)
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['X-XSS-Protection': '1']
+    }
+
+    @Configuration
+    static class XssProtectionCustomConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    // xss-protection@enabled and xss-protection@block
+                    .addHeaderWriter(new XXssProtectionHeaderWriter(enabled:true,block:false))
+        }
+    }
+
+    def "http/headers/content-type-options"() {
+        setup:
+            loadConfig(ContentTypeOptionsConfig)
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['X-Content-Type-Options': 'nosniff']
+    }
+
+    @Configuration
+    static class ContentTypeOptionsConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    // content-type-options
+                    .addHeaderWriter(new XContentTypeOptionsHeaderWriter())
+        }
+    }
+
+    // header@name / header@value are not provided instead use header@ref
+
+    def "http/headers/header@ref"() {
+        setup:
+            loadConfig(HeaderRefConfig)
+        when:
+            springSecurityFilterChain.doFilter(request,response,chain)
+        then:
+            responseHeaders == ['customHeaderName': 'customHeaderValue']
+    }
+
+    @Configuration
+    static class HeaderRefConfig extends BaseWebConfig {
+        @Override
+        protected void configure(HttpSecurity http) {
+            http
+                .headers()
+                    .addHeaderWriter(new StaticHeadersWriter("customHeaderName", "customHeaderValue"))
+        }
+    }
+}

config/src/test/groovy/org/springframework/security/config/http/HttpHeadersConfigTests.groovy

@@ -12,30 +12,15 @@
  */
 package org.springframework.security.config.http
 
-import org.springframework.security.util.FieldUtils
+import org.springframework.beans.factory.BeanCreationException
-
-import javax.servlet.Filter
-import javax.servlet.http.HttpServletRequest
-
-import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException
-import org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException;
 import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
-import org.springframework.security.config.BeanIds
+import org.springframework.security.web.FilterChainProxy
-import org.springframework.security.openid.OpenIDAuthenticationFilter
+import org.springframework.security.web.header.HeaderWriterFilter
-import org.springframework.security.openid.OpenIDAuthenticationToken
+import org.springframework.security.web.header.writers.StaticHeadersWriter
-import org.springframework.security.openid.OpenIDConsumer
+import org.springframework.security.web.util.AnyRequestMatcher
-import org.springframework.security.openid.OpenIDConsumerException
-import org.springframework.security.web.FilterChainProxy;
-import org.springframework.security.web.access.ExceptionTranslationFilter
-import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices
-import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter
-import org.springframework.security.web.headers.HeadersFilter
-import org.springframework.security.web.headers.StaticHeadersWriter;
-import org.springframework.security.web.headers.frameoptions.StaticAllowFromStrategy;
-import org.springframework.security.web.util.AnyRequestMatcher;
 
 /**
  *
@@ -48,7 +33,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
 
         expect:
         !hf
@@ -61,7 +46,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
             }
             createAppContext()
         when:
-            def hf = getFilter(HeadersFilter)
+            def hf = getFilter(HeaderWriterFilter)
             MockHttpServletResponse response = new MockHttpServletResponse()
             hf.doFilter(new MockHttpServletRequest(secure:true), response, new MockFilterChain())
         then:
@@ -81,7 +66,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -97,7 +82,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -113,7 +98,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -129,7 +114,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -146,7 +131,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
 
         then:
         BeanDefinitionParsingException e = thrown()
@@ -162,7 +147,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
 
         then:
         BeanDefinitionParsingException e = thrown()
@@ -178,7 +163,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -195,7 +180,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -213,7 +198,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -234,7 +219,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
             }
             createAppContext()
         when:
-            def hf = getFilter(HeadersFilter)
+            def hf = getFilter(HeaderWriterFilter)
             MockHttpServletResponse response = new MockHttpServletResponse()
             hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
         then:
@@ -276,7 +261,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -293,7 +278,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -310,7 +295,7 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
         MockHttpServletResponse response = new MockHttpServletResponse()
         hf.doFilter(new MockHttpServletRequest(), response, new MockFilterChain())
 
@@ -327,11 +312,11 @@ class HttpHeadersConfigTests extends AbstractHttpConfigTests {
         }
         createAppContext()
 
-        def hf = getFilter(HeadersFilter)
+        def hf = getFilter(HeaderWriterFilter)
 
         then:
-        BeanDefinitionParsingException e = thrown()
+        BeanCreationException e = thrown()
-        e.message.contains '<xss-protection enabled="false"/> does not allow block="true".'
+        e.message.contains 'Cannot set block to true with enabled false'
     }
 
     def 'http headers cache-control'() {

web/src/main/java/org/springframework/security/web/header/Header.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header;
 
 import java.util.Arrays;
 import java.util.List;

web/src/main/java/org/springframework/security/web/header/HeaderWriter.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -21,7 +21,7 @@ import javax.servlet.http.HttpServletResponse;
 /**
  * Contract for writing headers to a {@link HttpServletResponse}
  *
- * @see HeadersFilter
+ * @see HeaderWriterFilter
  *
  * @author Marten Deinum
  * @author Rob Winch

web/src/main/java/org/springframework/security/web/header/HeaderWriterFilter.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header;
 
 import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
@@ -33,7 +33,7 @@ import java.util.*;
  * @since 3.2
  *
  */
-public class HeadersFilter extends OncePerRequestFilter {
+public class HeaderWriterFilter extends OncePerRequestFilter {
 
     /** Collection of {@link HeaderWriter} instances to  write out the headers to the response . */
     private final List<HeaderWriter> headerWriters;
@@ -43,7 +43,7 @@ public class HeadersFilter extends OncePerRequestFilter {
      *
      * @param headerWriters the {@link HeaderWriter} instances to write out headers to the {@link HttpServletResponse}.
      */
-    public HeadersFilter(List<HeaderWriter> headerWriters) {
+    public HeaderWriterFilter(List<HeaderWriter> headerWriters) {
         Assert.notEmpty(headerWriters, "headerWriters cannot be null");
         this.headerWriters = headerWriters;
     }

web/src/main/java/org/springframework/security/web/header/writers/CacheControlHeadersWriter.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.header.writers;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.security.web.header.Header;
+
+/**
+ * A {@link StaticHeadersWriter} that inserts headers to prevent caching.
+ * Specifically it adds the following headers:
+ * <ul>
+ * <li>Cache-Control: no-cache, no-store, max-age=0, must-revalidate</li>
+ * <li>Pragma: no-cache</li>
+ * </ul>
+ *
+ * @author Rob Winch
+ * @since 3.2
+ */
+public final class CacheControlHeadersWriter extends StaticHeadersWriter {
+
+    /**
+     * Creates a new instance
+     */
+    public CacheControlHeadersWriter() {
+        super(createHeaders());
+    }
+
+    private static List<Header> createHeaders() {
+        List<Header> headers = new ArrayList<Header>(2);
+        headers.add(new Header("Cache-Control","no-cache","no-store","max-age=0","must-revalidate"));
+        headers.add(new Header("Pragma","no-cache"));
+        return headers;
+    }
+}

web/src/main/java/org/springframework/security/web/header/writers/DelegatingRequestMatcherHeaderWriter.java

@@ -13,11 +13,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header.writers;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.Assert;
 

web/src/main/java/org/springframework/security/web/header/writers/HstsHeaderWriter.java

@@ -13,13 +13,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header.writers;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.util.RequestMatcher;
 import org.springframework.util.Assert;
 
@@ -48,11 +49,13 @@ import org.springframework.util.Assert;
  * @since 3.2
  */
 public final class HstsHeaderWriter implements HeaderWriter {
+    private static final long DEFAULT_MAX_AGE_SECONDS = 31536000;
+
     private static final String HSTS_HEADER_NAME = "Strict-Transport-Security";
 
     private final Log logger = LogFactory.getLog(getClass());
 
-    private RequestMatcher requestMatcher = new SecureRequestMatcher();
+    private RequestMatcher requestMatcher;
 
     private long maxAgeInSeconds;
 
@@ -60,12 +63,57 @@ public final class HstsHeaderWriter implements HeaderWriter {
 
     private String hstsHeaderValue;
 
-    public HstsHeaderWriter() {
+    /**
-        this.maxAgeInSeconds = 31536000;
+     * Creates a new instance
-        this.includeSubDomains = true;
+     *
+     * @param requestMatcher maps to {@link #setRequestMatcher(RequestMatcher)}
+     * @param maxAgeInSeconds maps to {@link #setMaxAgeInSeconds(long)}
+     * @param includeSubDomains maps to {@link #setIncludeSubDomains(boolean)}
+     */
+    public HstsHeaderWriter(RequestMatcher requestMatcher,
+            long maxAgeInSeconds, boolean includeSubDomains) {
+        super();
+        this.requestMatcher = requestMatcher;
+        this.maxAgeInSeconds = maxAgeInSeconds;
+        this.includeSubDomains = includeSubDomains;
         updateHstsHeaderValue();
     }
 
+    /**
+     * Creates a new instance
+     *
+     * @param maxAgeInSeconds maps to {@link #setMaxAgeInSeconds(long)}
+     * @param includeSubDomains maps to {@link #setIncludeSubDomains(boolean)}
+     */
+    public HstsHeaderWriter(long maxAgeInSeconds, boolean includeSubDomains) {
+        this(new SecureRequestMatcher(),maxAgeInSeconds,includeSubDomains);
+    }
+
+    /**
+     * Creates a new instance
+     *
+     * @param maxAgeInSeconds maps to {@link #setMaxAgeInSeconds(long)}
+     */
+    public HstsHeaderWriter(long maxAgeInSeconds) {
+        this(new SecureRequestMatcher(),maxAgeInSeconds,true);
+    }
+
+    /**
+     * Creates a new instance
+     *
+     * @param includeSubDomains maps to {@link #setIncludeSubDomains(boolean)}
+     */
+    public HstsHeaderWriter(boolean includeSubDomains) {
+        this(new SecureRequestMatcher(),DEFAULT_MAX_AGE_SECONDS,includeSubDomains);
+    }
+
+    /**
+     * Creates a new instance
+     */
+    public HstsHeaderWriter() {
+        this(DEFAULT_MAX_AGE_SECONDS);
+    }
+
     /*
      * (non-Javadoc)
      *

web/src/main/java/org/springframework/security/web/header/writers/StaticHeadersWriter.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header.writers;
 
 import java.util.Collections;
 import java.util.List;
@@ -6,6 +6,8 @@ import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.web.header.Header;
+import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.util.Assert;
 
 /**

web/src/main/java/org/springframework/security/web/header/writers/XContentTypeOptionsHeaderWriter.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.header.writers;
+
+
+/**
+ * A {@link StaticHeadersWriter} that inserts headers to prevent content
+ * sniffing. Specifically the following headers are set:
+ * <ul>
+ * <li>X-Content-Type-Options: nosniff</li>
+ * </ul>
+ *
+ * @author Rob Winch
+ * @since 3.2
+ */
+public final class XContentTypeOptionsHeaderWriter extends StaticHeadersWriter {
+
+    /**
+     * Creates a new instance
+     */
+    public XContentTypeOptionsHeaderWriter() {
+        super("X-Content-Type-Options","nosniff");
+    }
+}

web/src/main/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriter.java

@@ -0,0 +1,118 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.header.writers;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.web.header.HeaderWriter;
+
+/**
+ * Renders the <a href=
+ * "http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx"
+ * >X-XSS-Protection header</a>.
+ *
+ * @author Rob Winch
+ * @since 3.2
+ */
+public final class XXssProtectionHeaderWriter implements HeaderWriter {
+    private static final String XSS_PROTECTION_HEADER = "X-XSS-Protection";
+
+    private boolean enabled;
+
+    private boolean block;
+
+    private String headerValue;
+
+    /**
+     * Create a new instance
+     */
+    public XXssProtectionHeaderWriter() {
+        this.enabled = true;
+        this.block = true;
+        updateHeaderValue();
+    }
+
+    @Override
+    public void writeHeaders(HttpServletRequest request,
+            HttpServletResponse response) {
+        response.setHeader(XSS_PROTECTION_HEADER, headerValue);
+    }
+
+    /**
+     * If true, will contain a value of 1. For example:
+     *
+     * <pre>
+     * X-XSS-Protection: 1
+     * </pre>
+     *
+     * or if {@link #setBlock(boolean)} is true
+     *
+     *
+     * <pre>
+     * X-XSS-Protection: 1; mode=block
+     * </pre>
+     *
+     * If false, will explicitly disable specify that X-XSS-Protection is
+     * disabled. For example:
+     *
+     * <pre>
+     * X-XSS-Protection: 0
+     * </pre>
+     *
+     * @param enabled the new value
+     */
+    public void setEnabled(boolean enabled) {
+        if(!enabled) {
+            setBlock(false);
+        }
+        this.enabled = enabled;
+        updateHeaderValue();
+    }
+
+
+    /**
+     * If false, will not specify the mode as blocked. In this instance, any
+     * content will be attempted to be fixed. If true, the content will be
+     * replaced with "#".
+     *
+     * @param enabled
+     *            the new value
+     */
+    public void setBlock(boolean block) {
+        if(!enabled && block) {
+            throw new IllegalArgumentException("Cannot set block to true with enabled false");
+        }
+        this.block = block;
+        updateHeaderValue();
+    }
+
+    private void updateHeaderValue() {
+        if(!enabled) {
+            this.headerValue = "0";
+            return;
+        }
+        this.headerValue = "1";
+        if(block) {
+            this.headerValue += "; mode=block";
+        }
+    }
+
+    @Override
+    public String toString() {
+        return getClass().getName() + " [headerValue=" + headerValue + "]";
+    }
+}

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategy.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/AllowFromStrategy.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import javax.servlet.http.HttpServletRequest;
 

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategy.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import org.springframework.util.Assert;
 

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategy.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import javax.servlet.http.HttpServletRequest;
 import java.net.URI;

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategy.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import java.util.Collection;
 

web/src/main/java/org/springframework/security/web/header/writers/frameoptions/XFrameOptionsHeaderWriter.java

@@ -13,9 +13,9 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
-import org.springframework.security.web.headers.HeaderWriter;
+import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.util.Assert;
 
 import javax.servlet.http.HttpServletRequest;
@@ -38,6 +38,13 @@ public class XFrameOptionsHeaderWriter implements HeaderWriter {
     private final AllowFromStrategy allowFromStrategy;
     private final XFrameOptionsMode frameOptionsMode;
 
+    /**
+     * Creates an instance with {@link XFrameOptionsMode#DENY}
+     */
+    public XFrameOptionsHeaderWriter() {
+        this(XFrameOptionsMode.DENY);
+    }
+
     /**
      * Creates a new instance
      *

web/src/test/java/org/springframework/security/web/header/HeaderWriterFilterTests.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header;
 
 import static org.fest.assertions.Assertions.assertThat;
 import static org.mockito.Mockito.verify;
@@ -28,6 +28,8 @@ import org.mockito.runners.MockitoJUnitRunner;
 import org.springframework.mock.web.MockFilterChain;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.web.header.HeaderWriter;
+import org.springframework.security.web.header.HeaderWriterFilter;
 
 /**
  * Tests for the {@code HeadersFilter}
@@ -37,7 +39,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
  * @since 3.2
  */
 @RunWith(MockitoJUnitRunner.class)
-public class HeadersFilterTests {
+public class HeaderWriterFilterTests {
     @Mock
     private HeaderWriter writer1;
 
@@ -47,12 +49,12 @@ public class HeadersFilterTests {
     @Test(expected = IllegalArgumentException.class)
     public void noHeadersConfigured() throws Exception {
         List<HeaderWriter> headerWriters = new ArrayList<HeaderWriter>();
-        new HeadersFilter(headerWriters);
+        new HeaderWriterFilter(headerWriters);
     }
 
     @Test(expected = IllegalArgumentException.class)
     public void constructorNullWriters() throws Exception {
-        new HeadersFilter(null);
+        new HeaderWriterFilter(null);
     }
 
     @Test
@@ -61,7 +63,7 @@ public class HeadersFilterTests {
         headerWriters.add(writer1);
         headerWriters.add(writer2);
 
-        HeadersFilter filter = new HeadersFilter(headerWriters);
+        HeaderWriterFilter filter = new HeaderWriterFilter(headerWriters);
 
         MockHttpServletRequest request = new MockHttpServletRequest();
         MockHttpServletResponse response = new MockHttpServletResponse();

web/src/test/java/org/springframework/security/web/header/writers/CacheControlHeadersWriterTests.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.header.writers;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+import java.util.Arrays;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+
+/**
+ * @author Rob Winch
+ *
+ */
+public class CacheControlHeadersWriterTests {
+
+    private MockHttpServletRequest request;
+
+    private MockHttpServletResponse response;
+
+    private CacheControlHeadersWriter writer;
+
+    @Before
+    public void setup() {
+        request = new MockHttpServletRequest();
+        response = new MockHttpServletResponse();
+        writer = new CacheControlHeadersWriter();
+    }
+
+    @Test
+    public void writeHeaders() {
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(2);
+        assertThat(response.getHeaderValues("Cache-Control")).isEqualTo(Arrays.asList("no-cache","no-store","max-age=0","must-revalidate"));
+        assertThat(response.getHeaderValues("Pragma")).isEqualTo(Arrays.asList("no-cache"));
+    }
+}

web/src/test/java/org/springframework/security/web/header/writers/DelegatingRequestMatcherHeaderWriterTests.java

@@ -13,9 +13,8 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header.writers;
 
-import static org.junit.Assert.fail;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
@@ -27,6 +26,7 @@ import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.web.header.HeaderWriter;
 import org.springframework.security.web.util.RequestMatcher;
 
 /**

web/src/test/java/org/springframework/security/web/header/writers/HstsHeaderWriterTests.java

@@ -0,0 +1,145 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.header.writers;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.web.header.writers.HstsHeaderWriter;
+import org.springframework.security.web.util.AnyRequestMatcher;
+
+/**
+ * @author Rob Winch
+ *
+ */
+public class HstsHeaderWriterTests {
+    private MockHttpServletRequest request;
+    private MockHttpServletResponse response;
+
+    private HstsHeaderWriter writer;
+
+    @Before
+    public void setup() {
+        request = new MockHttpServletRequest();
+        request.setSecure(true);
+        response = new MockHttpServletResponse();
+
+        writer = new HstsHeaderWriter();
+    }
+
+    @Test
+    public void allArgsCustomConstructorWriteHeaders() {
+        request.setSecure(false);
+        writer = new HstsHeaderWriter(new AnyRequestMatcher(), 15768000, false);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=15768000");
+    }
+
+    @Test
+    public void maxAgeAndIncludeSubdomainsCustomConstructorWriteHeaders() {
+        request.setSecure(false);
+        writer = new HstsHeaderWriter(new AnyRequestMatcher(), 15768000, false);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=15768000");
+    }
+
+    @Test
+    public void maxAgeCustomConstructorWriteHeaders() {
+        writer = new HstsHeaderWriter(15768000);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=15768000 ; includeSubDomains");
+    }
+
+    @Test
+    public void includeSubDomainsCustomConstructorWriteHeaders() {
+        writer = new HstsHeaderWriter(false);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=31536000");
+    }
+
+    @Test
+    public void writeHeadersDefaultValues() {
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=31536000 ; includeSubDomains");
+    }
+
+    @Test
+    public void writeHeadersIncludeSubDomainsFalse() {
+        writer.setIncludeSubDomains(false);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=31536000");
+    }
+
+    @Test
+    public void writeHeadersCustomMaxAgeInSeconds() {
+        writer.setMaxAgeInSeconds(1);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=1 ; includeSubDomains");
+    }
+
+    @Test
+    public void writeHeadersInsecureRequestDoesNotWriteHeader() {
+        request.setSecure(false);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().isEmpty()).isTrue();
+    }
+
+    @Test
+    public void writeHeadersAnyRequestMatcher() {
+        writer.setRequestMatcher(new AnyRequestMatcher());
+        request.setSecure(false);
+
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=31536000 ; includeSubDomains");
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void setMaxAgeInSecondsToNegative() {
+        writer.setMaxAgeInSeconds(-1);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void setRequestMatcherToNull() {
+        writer.setRequestMatcher(null);
+    }
+}

web/src/test/java/org/springframework/security/web/header/writers/StaticHeaderWriterTests.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header.writers;
 
 import static org.fest.assertions.Assertions.assertThat;
 
@@ -24,6 +24,8 @@ import org.junit.Before;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.web.header.Header;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
 
 /**
  * Test for the {@code StaticHeadersWriter}

web/src/test/java/org/springframework/security/web/header/writers/XContentTypeOptionsHeaderWriterTests.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.web.header.writers;
+
+import static org.fest.assertions.Assertions.assertThat;
+
+import java.util.Arrays;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+
+/**
+ * @author Rob Winch
+ *
+ */
+public class XContentTypeOptionsHeaderWriterTests {
+
+    private MockHttpServletRequest request;
+
+    private MockHttpServletResponse response;
+
+    private XContentTypeOptionsHeaderWriter writer;
+
+    @Before
+    public void setup() {
+        request = new MockHttpServletRequest();
+        response = new MockHttpServletResponse();
+        writer = new XContentTypeOptionsHeaderWriter();
+    }
+
+    @Test
+    public void writeHeaders() {
+        writer.writeHeaders(request, response);
+
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeaderValues("X-Content-Type-Options")).isEqualTo(Arrays.asList("nosniff"));
+    }
+}

web/src/test/java/org/springframework/security/web/header/writers/XXssProtectionHeaderWriterTests.java

@@ -13,10 +13,12 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers;
+package org.springframework.security.web.header.writers;
 
 import static org.fest.assertions.Assertions.assertThat;
 
+import java.util.Arrays;
+
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -26,65 +28,66 @@ import org.springframework.mock.web.MockHttpServletResponse;
  * @author Rob Winch
  *
  */
-public class HstsHeaderWriterTests {
+public class XXssProtectionHeaderWriterTests {
+
     private MockHttpServletRequest request;
+
     private MockHttpServletResponse response;
 
-    private HstsHeaderWriter writer;
+    private XXssProtectionHeaderWriter writer;
 
     @Before
     public void setup() {
         request = new MockHttpServletRequest();
-        request.setSecure(true);
         response = new MockHttpServletResponse();
-
+        writer = new XXssProtectionHeaderWriter();
-        writer = new HstsHeaderWriter();
     }
 
     @Test
-    public void writeHeadersDefaultValues() {
+    public void writeHeaders() {
         writer.writeHeaders(request, response);
 
         assertThat(response.getHeaderNames().size()).isEqualTo(1);
-        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=31536000 ; includeSubDomains");
+        assertThat(response.getHeaderValues("X-XSS-Protection")).isEqualTo(Arrays.asList("1; mode=block"));
     }
 
     @Test
-    public void writeHeadersIncludeSubDomainsFalse() {
+    public void writeHeadersNoBlock() {
-        writer.setIncludeSubDomains(false);
+        writer.setBlock(false);
 
         writer.writeHeaders(request, response);
 
         assertThat(response.getHeaderNames().size()).isEqualTo(1);
-        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=31536000");
+        assertThat(response.getHeaderValues("X-XSS-Protection")).isEqualTo(Arrays.asList("1"));
     }
 
     @Test
-    public void writeHeadersCustomMaxAgeInSeconds() {
+    public void writeHeadersDisabled() {
-        writer.setMaxAgeInSeconds(1);
+        writer.setBlock(false);
+        writer.setEnabled(false);
 
         writer.writeHeaders(request, response);
 
         assertThat(response.getHeaderNames().size()).isEqualTo(1);
-        assertThat(response.getHeader("Strict-Transport-Security")).isEqualTo("max-age=1 ; includeSubDomains");
+        assertThat(response.getHeaderValues("X-XSS-Protection")).isEqualTo(Arrays.asList("0"));
     }
 
     @Test
-    public void writeHeadersInsecureRequestDoesNotWriteHeader() {
+    public void setEnabledFalseWithBlockTrue() {
-        request.setSecure(false);
+        writer.setEnabled(false);
 
         writer.writeHeaders(request, response);
 
-        assertThat(response.getHeaderNames().isEmpty()).isTrue();
+        assertThat(response.getHeaderNames().size()).isEqualTo(1);
+        assertThat(response.getHeaderValues("X-XSS-Protection")).isEqualTo(Arrays.asList("0"));
     }
 
-    @Test(expected = IllegalArgumentException.class)
-    public void setMaxAgeInSecondsToNegative() {
-        writer.setMaxAgeInSeconds(-1);
-    }
 
-    @Test(expected = IllegalArgumentException.class)
+    @Test(expected=IllegalArgumentException.class)
-    public void setRequestMatcherToNull() {
+    public void setBlockTrueWithEnabledFalse() {
-        writer.setRequestMatcher(null);
+        writer.setBlock(false);
+        writer.setEnabled(false);
+
+        writer.setBlock(true);
     }
 }

web/src/test/java/org/springframework/security/web/header/writers/frameoptions/AbstractRequestParameterAllowFromStrategyTests.java

@@ -13,13 +13,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import static org.fest.assertions.Assertions.assertThat;
 
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.header.writers.frameoptions.AbstractRequestParameterAllowFromStrategy;
 
 /**
  * @author Rob Winch

web/src/test/java/org/springframework/security/web/header/writers/frameoptions/FrameOptionsHeaderWriterTests.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import static org.fest.assertions.Assertions.assertThat;
 import static org.mockito.Mockito.when;
@@ -27,7 +27,9 @@ import org.mockito.Mock;
 import org.mockito.runners.MockitoJUnitRunner;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
-import org.springframework.security.web.headers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode;
+import org.springframework.security.web.header.writers.frameoptions.AllowFromStrategy;
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
+import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter.XFrameOptionsMode;
 
 /**
  * @author Rob Winch

web/src/test/java/org/springframework/security/web/header/writers/frameoptions/RegExpAllowFromStrategyTests.java

@@ -1,4 +1,4 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertThat;
@@ -7,6 +7,7 @@ import java.util.regex.PatternSyntaxException;
 
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.header.writers.frameoptions.RegExpAllowFromStrategy;
 
 /**
  *

web/src/test/java/org/springframework/security/web/header/writers/frameoptions/StaticAllowFromStrategyTests.java

@@ -1,7 +1,8 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.header.writers.frameoptions.StaticAllowFromStrategy;
 
 import java.net.URI;
 

web/src/test/java/org/springframework/security/web/header/writers/frameoptions/WhiteListedAllowFromStrategyTests.java

@@ -1,7 +1,8 @@
-package org.springframework.security.web.headers.frameoptions;
+package org.springframework.security.web.header.writers.frameoptions;
 
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.web.header.writers.frameoptions.WhiteListedAllowFromStrategy;
 
 import java.util.ArrayList;
 import java.util.List;