Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Kotlin WebFlux header configuration to docs 

Issue gh-8172
This commit is contained in:
Eleftheria Stein 2020-07-14 16:34:30 +02:00
parent f8f3302891
commit 683cb49c9d
1 changed files with 234 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

262
docs/manual/src/docs/asciidoc/_includes/reactive/exploits/headers.adoc
View File

@ -13,11 +13,12 @@ While each of these headers are considered best practice, it should be noted tha
You can customize specific headers. You can customize specific headers.
For example, assume that you want the defaults except you wish to specify `SAMEORIGIN` for <<servlet-headers-frame-options,X-Frame-Options>>. For example, assume that you want the defaults except you wish to specify `SAMEORIGIN` for <<servlet-headers-frame-options,X-Frame-Options>>.
You can easily do this with the following Java Configuration: You can easily do this with the following Configuration:
.Customize Default Security Headers with Java Configuration .Customize Default Security Headers
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -31,14 +32,31 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
frameOptions {
mode = Mode.SAMEORIGIN
}
}
}
}
----
==== ====
If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults. If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults.
An example for both Java configuration is provided below: An example is provided below:
.Disable HTTP Security Response Headers .Disable HTTP Security Response Headers
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -48,6 +66,20 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
disable()
}
}
}
----
==== ====
[[webflux-headers-cache-control]] [[webflux-headers-cache-control]]
@ -65,7 +97,8 @@ If necessary, you can also disable Spring Security's cache control HTTP response
.Cache Control Disabled .Cache Control Disabled
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -77,17 +110,34 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
cache {
disable()
}
}
}
}
----
==== ====
[[webflux-headers-content-type-options]] [[webflux-headers-content-type-options]]
== Content Type Options == Content Type Options
Spring Security includes <<headers-content-type-options,Content-Type>> headers by default. Spring Security includes <<headers-content-type-options,Content-Type>> headers by default.
However, you can disable it in Java Configuration with: However, you can disable it with:
.Content Type Options Disabled with Java Configuration .Content Type Options Disabled
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -99,17 +149,34 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
contentTypeOptions {
disable()
}
}
}
}
----
==== ====
[[webflux-headers-hsts]] [[webflux-headers-hsts]]
== HTTP Strict Transport Security (HSTS) == HTTP Strict Transport Security (HSTS)
Spring Security provides the <<headers-hsts,Strict Transport Security>> header by default. Spring Security provides the <<headers-hsts,Strict Transport Security>> header by default.
However, you can customize the results explicitly. However, you can customize the results explicitly.
For example, the following is an example of explicitly providing HSTS with Java Configuration: For example, the following is an example of explicitly providing HSTS:
.Strict Transport Security with Java Configuration .Strict Transport Security
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -125,17 +192,36 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
hsts {
includeSubdomains = true
preload = true
maxAge = Duration.ofDays(365)
}
}
}
}
----
==== ====
[[webflux-headers-frame-options]] [[webflux-headers-frame-options]]
== X-Frame-Options == X-Frame-Options
By default, Spring Security disables rendering within an iframe using <<headers-frame-options,X-Frame-Options>>. By default, Spring Security disables rendering within an iframe using <<headers-frame-options,X-Frame-Options>>.
You can customize frame options to use the same origin within Java Configuration using the following: You can customize frame options to use the same origin using the following:
.X-Frame-Options: SAMEORIGIN .X-Frame-Options: SAMEORIGIN
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -149,16 +235,33 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
frameOptions {
mode = SAMEORIGIN
}
}
}
}
----
==== ====
[[webflux-headers-xss-protection]] [[webflux-headers-xss-protection]]
== X-XSS-Protection == X-XSS-Protection
By default, Spring Security instructs browsers to block reflected XSS attacks using the <<headers-xss-protection,X-XSS-Protection header>. By default, Spring Security instructs browsers to block reflected XSS attacks using the <<headers-xss-protection,X-XSS-Protection header>.
You can disable `X-XSS-Protection` with the following Java Configuration: You can disable `X-XSS-Protection` with the following Configuration:
.X-XSS-Protection Customization .X-XSS-Protection Customization
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -170,6 +273,22 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
xssProtection {
disable()
}
}
}
}
----
==== ====
[[webflux-headers-csp]] [[webflux-headers-csp]]
@ -187,11 +306,12 @@ Content-Security-Policy: script-src 'self' https://trustedscripts.example.com; o
---- ----
==== ====
You can enable the CSP header using Java configuration as shown below: You can enable the CSP header as shown below:
.Content Security Policy .Content Security Policy
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -205,13 +325,30 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
contentSecurityPolicy {
policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
}
}
}
}
----
==== ====
To enable the CSP `report-only` header, provide the following Java configuration: To enable the CSP `report-only` header, provide the following configuration:
.Content Security Policy Report Only .Content Security Policy Report Only
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -226,17 +363,35 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
contentSecurityPolicy {
policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
reportOnly = true
}
}
}
}
----
==== ====
[[webflux-headers-referrer]] [[webflux-headers-referrer]]
== Referrer Policy == Referrer Policy
Spring Security does not add <<headers-referrer,Referrer Policy>> headers by default. Spring Security does not add <<headers-referrer,Referrer Policy>> headers by default.
You can enable the Referrer Policy header using Java configuration as shown below: You can enable the Referrer Policy header using configuration as shown below:
.Referrer Policy Java Configuration .Referrer Policy Configuration
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -250,6 +405,22 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
referrerPolicy {
policy = ReferrerPolicy.SAME_ORIGIN
}
}
}
}
----
==== ====
@ -267,11 +438,12 @@ Feature-Policy: geolocation 'self'
---- ----
==== ====
can enable the Feature Policy header using Java configuration as shown below: You can enable the Feature Policy header as shown below:
.Feature-Policy Java Configuration .Feature-Policy Configuration
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -283,6 +455,20 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
headers {
featurePolicy("geolocation 'self'")
}
}
}
----
==== ====
@ -301,9 +487,10 @@ Clear-Site-Data: "cache", "cookies"
can be sent on log out with the following configuration: can be sent on log out with the following configuration:
.Clear-Site-Data Java Configuration .Clear-Site-Data Configuration
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -319,4 +506,23 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun webFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
val securityContext: ServerLogoutHandler = SecurityContextServerLogoutHandler()
val writer = ClearSiteDataServerHttpHeadersWriter(CACHE, COOKIES)
val clearSiteData: ServerLogoutHandler = HeaderWriterServerLogoutHandler(writer)
val customLogoutHandler = DelegatingServerLogoutHandler(securityContext, clearSiteData)
return http {
// ...
logout {
logoutHandler = customLogoutHandler
}
}
}
----
==== ====