Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Kotlin header configuration samples to docs 

Issue gh-8172
This commit is contained in:
Eleftheria Stein 2020-07-10 16:08:02 +02:00
parent 78ed6c4de6
commit 793926b977
1 changed files with 415 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

560
docs/manual/src/docs/asciidoc/_includes/servlet/exploits/headers.adoc
View File

@ -13,11 +13,12 @@ While each of these headers are considered best practice, it should be noted tha
You can customize specific headers.
For example, assume that you want the defaults except you wish to specify `SAMEORIGIN` for <<servlet-headers-frame-options,X-Frame-Options>>.
You can easily do this with the following Java Configuration:
You can easily do this with the following Configuration:
.Customize Default Security Headers with Java Configuration
.Customize Default Security Headers
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -35,13 +36,9 @@ public class WebSecurityConfig extends
}
}
----
====
Alternatively, if you are using Spring Security XML Configuration, you can use the following:
.Customize Default Security Headers with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -51,14 +48,35 @@ Alternatively, if you are using Spring Security XML Configuration, you can use t
</headers>
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
frameOptions {
sameOrigin = true
}
}
}
}
}
----
====
If you do not want the defaults to be added and want explicit control over what should be used, you can disable the defaults.
An example for both Java and XML based configuration is provided below:
An example is provided below:
If you are using Spring Security's Java Configuration the following will only add <<headers-cache-control,Cache Control>>.
If you are using Spring Security's Configuration the following will only add <<headers-cache-control,Cache Control>>.
[source,java]
.Customize Cache Control Headers
====
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -77,9 +95,8 @@ WebSecurityConfigurerAdapter {
}
----
The following XML will only add <<headers-cache-control,Cache Control>>.
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -90,10 +107,32 @@ The following XML will only add <<headers-cache-control,Cache Control>>.
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
// do not use any default headers unless explicitly listed
defaultsDisabled = true
cacheControl {
}
}
}
}
}
----
====
If necessary, you can disable all of the HTTP Security response headers with the following Java Configuration:
If necessary, you can disable all of the HTTP Security response headers with the following Configuration:
[source,java]
.Disable All HTTP Security Headers
====
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -108,9 +147,8 @@ WebSecurityConfigurerAdapter {
}
----
If necessary, you can disable all of the HTTP Security response headers with the following XML configuration below:
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -119,6 +157,23 @@ If necessary, you can disable all of the HTTP Security response headers with the
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
disable()
}
}
}
}
----
====
[[servlet-headers-cache-control]]
== Cache Control
@ -132,9 +187,10 @@ Details on how to do this can be found in the https://docs.spring.io/spring/docs
If necessary, you can also disable Spring Security's cache control HTTP response headers.
.Cache Control Disabled with Java Configuration
.Cache Control Disabled
====
[source,java]
.Java
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
@ -151,13 +207,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
Similarly, you can use the <<nsa-cache-control,<cache-control>>> element to disable it:
.Cache Control Disabled with XML
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -167,17 +219,36 @@ Similarly, you can use the <<nsa-cache-control,<cache-control>>> element to disa
</headers>
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
headers {
cacheControl {
disable()
}
}
}
}
}
----
====
[[servlet-headers-content-type-options]]
== Content Type Options
Spring Security includes <<headers-content-type-options,Content-Type>> headers by default.
However, you can disable it in Java Configuration with:
However, you can disable it with:
.Content Type Options Disabled with Java Configuration
.Content Type Options Disabled
====
[source,java]
.Java
[source,java,role="primary"]
----
@Configuration
@EnableWebSecurity
@ -194,13 +265,9 @@ public class WebSecurityConfig extends
}
}
----
====
Similarly, you can use the <<nsa-content-type-options,<content-type-options>>> element to disable it:
.Content Type Options Disabled with XML
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -210,6 +277,24 @@ Similarly, you can use the <<nsa-content-type-options,<content-type-options>>> e
</headers>
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
headers {
contentTypeOptions {
disable()
}
}
}
}
}
----
====
[[servlet-headers-hsts]]
@ -217,11 +302,12 @@ Similarly, you can use the <<nsa-content-type-options,<content-type-options>>> e
Spring Security provides the <<headers-hsts,Strict Transport Security>> header by default.
However, you can customize the results explicitly.
For example, the following is an example of explicitly providing HSTS with Java Configuration:
For example, the following is an example of explicitly providing HSTS:
.Strict Transport Security with Java Configuration
.Strict Transport Security
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -241,14 +327,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
Similarly, you can explicitly provide HSTS with XML configuration using the <<nsa-hsts,<hsts>>> element as shown below:
.Strict Transport Security with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -261,17 +342,38 @@ Similarly, you can explicitly provide HSTS with XML configuration using the <<ns
</headers>
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
headers {
httpStrictTransportSecurity {
includeSubDomains = true
preload = true
maxAgeInSeconds = 31536000
}
}
}
}
}
----
====
[[servlet-headers-hpkp]]
== HTTP Public Key Pinning (HPKP)
For passivity reasons, Spring Security provides servlet support for <<headers-hpkp,HTTP Public Key Pinning>> but it is <<headers-hpkp-deprecated,no longer recommended>>.
You can enable HPKP headers with Java Configuration:
You can enable HPKP headers with the following Configuration:
.HTTP Public Key Pinning with Java Configuration
.HTTP Public Key Pinning
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -291,13 +393,8 @@ WebSecurityConfigurerAdapter {
}
}
----
====
Similarly you can enable HPKP headers using the <<nsa-hpkp,<hpkp>>> element as shown below:
.HTTP Public Key Pinning with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -314,19 +411,40 @@ Similarly you can enable HPKP headers using the <<nsa-hpkp,<hpkp>>> element as s
</headers>
</http>
----
====
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
headers {
httpPublicKeyPinning {
includeSubDomains = true
reportUri = "https://example.net/pkp-report"
pins = mapOf("d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM=" to "sha256",
"E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=" to "sha256")
}
}
}
}
}
----
====
[[servlet-headers-frame-options]]
== X-Frame-Options
By default, Spring Security disables rendering within an iframe using <<headers-frame-options,X-Frame-Options>>.
You can customize frame options to use the same origin within Java Configuration using the following:
You can customize frame options to use the same origin within a Configuration using the following:
.X-Frame-Options: SAMEORIGIN with Java Configuration
.X-Frame-Options: SAMEORIGIN
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -344,13 +462,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
Alternatively, you can use <<nsa-frame-options,frame-options>> element within XML configuration:
.X-Frame-Options: SAMEORIGIN with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -361,19 +475,38 @@ Alternatively, you can use <<nsa-frame-options,frame-options>> element within XM
</headers>
</http>
----
====
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
headers {
frameOptions {
sameOrigin = true
}
}
}
}
}
----
====
[[servlet-headers-xss-protection]]
== X-XSS-Protection
By default, Spring Security instructs browsers to block reflected XSS attacks using the <<headers-xss-protection,X-XSS-Protection header>.
However, you can change this default.
For example, the following Java Configuration specifies that Spring Security should no longer instruct browsers to block the content:
For example, the following Configuration specifies that Spring Security should no longer instruct browsers to block the content:
.X-XSS-Protection Customization with Java Configuration
.X-XSS-Protection Customization
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -391,13 +524,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
Similarly, the following XML configuration specifies that Spring Security should no longer instruct browsers to block the content:
.X-XSS-Protection Customization with XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -407,8 +536,26 @@ Similarly, the following XML configuration specifies that Spring Security should
</headers>
</http>
----
====
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
// ...
http {
headers {
xssProtection {
block = false
}
}
}
}
}
----
====
[[servlet-headers-csp]]
== Content Security Policy (CSP)
@ -426,11 +573,12 @@ Content-Security-Policy: script-src 'self' https://trustedscripts.example.com; o
----
====
You can enable the CSP header using Java configuration as shown below:
You can enable the CSP header as shown below:
.Content Security Policy Java Configuration
.Content Security Policy
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -448,13 +596,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
The same can be done using XML configuration with the <<nsa-content-security-policy,<content-security-policy>>> element as shown below:
.Content Security Policy Java Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -465,13 +609,33 @@ The same can be done using XML configuration with the <<nsa-content-security-pol
</headers>
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
contentSecurityPolicy {
policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
}
}
}
}
}
----
====
To enable the CSP `report-only` header, provide the following Java configuration:
To enable the CSP `report-only` header, provide the following configuration:
.Content Security Policy Report Only Java Configuration
.Content Security Policy Report Only
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -490,13 +654,9 @@ public class WebSecurityConfig extends
}
}
----
====
The same can be achieved with XML configuration using:
.Content Security Policy XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -508,17 +668,38 @@ The same can be achieved with XML configuration using:
</headers>
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
contentSecurityPolicy {
policyDirectives = "script-src 'self' https://trustedscripts.example.com; object-src https://trustedplugins.example.com; report-uri /csp-report-endpoint/"
reportOnly = true
}
}
}
}
}
----
====
[[servlet-headers-referrer]]
== Referrer Policy
Spring Security does not add <<headers-referrer,Referrer Policy>> headers by default.
You can enable the Referrer Policy header using Java configuration as shown below:
You can enable the Referrer Policy header using the configuration as shown below:
.Referrer Policy Java Configuration
.Referrer Policy
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -536,13 +717,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
You can enable the Referrer-Policy header using XML configuration with the <<nsa-referrer-policy,<referrer-policy>>> element as shown below:
.Referrer Policy XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -552,8 +729,26 @@ You can enable the Referrer-Policy header using XML configuration with the <<nsa
</headers>
</http>
----
====
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
referrerPolicy {
policy = ReferrerPolicy.SAME_ORIGIN
}
}
}
}
}
----
====
[[servlet-headers-feature]]
== Feature Policy
@ -569,11 +764,12 @@ Feature-Policy: geolocation 'self'
----
====
can enable the Feature Policy header using Java configuration as shown below:
can enable the Feature Policy header using the configuration shown below:
.Feature-Policy Java Configuration
.Feature-Policy
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -589,14 +785,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
Alternatively, you can enable the Feature-Policy header using XML configuration with the <<nsa-feature-policy,<feature-policy>>> element as shown below:
.Feature-Policy XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -606,6 +797,23 @@ Alternatively, you can enable the Feature-Policy header using XML configuration
</headers>
</http>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
featurePolicy("geolocation 'self'")
}
}
}
}
----
====
[[servlet-headers-clear-site-data]]
@ -623,9 +831,10 @@ Clear-Site-Data: "cache", "cookies"
can be sent on log out with the following configuration:
.Clear-Site-Data Java Configuration
.Clear-Site-Data
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -640,6 +849,23 @@ WebSecurityConfigurerAdapter {
}
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
logout {
addLogoutHandler(HeaderWriterLogoutHandler(ClearSiteDataHeaderWriter(CACHE, COOKIES)))
}
}
}
}
----
====
[[servlet-headers-custom]]
@ -657,11 +883,12 @@ For example, given the following custom security header:
X-Custom-Security-Header: header-value
----
The headers could be added to the response using Java Configuration as shown in the following:
The headers could be added to the response using the following Configuration:
.StaticHeadersWriter Java Configuration
.StaticHeadersWriter
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -677,13 +904,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
When using the XML namespace, these headers can be added to the response using the <<nsa-header,<header>>> element as shown below:
.StaticHeadersWriter XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -693,19 +916,36 @@ When using the XML namespace, these headers can be added to the response using t
</headers>
</http>
----
====
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
addHeaderWriter(StaticHeadersWriter("X-Custom-Security-Header","header-value"))
}
}
}
}
----
====
[[servlet-headers-writer]]
=== Headers Writer
When the namespace or Java configuration does not support the headers you want, you can create a custom `HeadersWriter` instance or even provide a custom implementation of the `HeadersWriter`.
Let's take a look at an example of using an custom instance of `XFrameOptionsHeaderWriter`.
If you wanted to explicitly configure <<servlet-headers-frame-options>> it could be done with the following Java Configuration:
If you wanted to explicitly configure <<servlet-headers-frame-options>> it could be done with the following Configuration:
.Headers Writer Java Configuration
.Headers Writer
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -721,13 +961,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
Alternatively, we could use the <<nsa-header-ref,ref>> attribute for XML based configuration:
.Headers Writer XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -743,6 +979,23 @@ See https://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsi
class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"
c:frameOptionsMode="SAMEORIGIN"/>
----
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
http {
// ...
headers {
addHeaderWriter(XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN))
}
}
}
}
----
====
[[headers-delegatingrequestmatcherheaderwriter]]
@ -756,7 +1009,8 @@ An example of using `DelegatingRequestMatcherHeaderWriter` in Java Configuration
.DelegatingRequestMatcherHeaderWriter Java Configuration
====
[source,java]
.Java
[source,java,role="primary"]
----
@EnableWebSecurity
public class WebSecurityConfig extends
@ -776,13 +1030,9 @@ WebSecurityConfigurerAdapter {
}
}
----
====
The same can be achieved with XML based configuration:
.DelegatingRequestMatcherHeaderWriter XML Configuration
====
[source,xml]
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
@ -805,5 +1055,25 @@ The same can be achieved with XML based configuration:
</beans:constructor-arg>
</beans:bean>
----
====
.Kotlin
[source,kotlin,role="secondary"]
----
@EnableWebSecurity
class SecurityConfig : WebSecurityConfigurerAdapter() {
override fun configure(http: HttpSecurity) {
val matcher: RequestMatcher = AntPathRequestMatcher("/login")
val headerWriter = DelegatingRequestMatcherHeaderWriter(matcher, XFrameOptionsHeaderWriter())
http {
headers {
frameOptions {
disable()
}
addHeaderWriter(headerWriter)
}
}
}
}
----
====