Allow disabling headers in Kotlin DSL

Closes gh-8816
2025-06-24 04:52:16 +00:00 · 2020-07-08 10:55:01 +02:00 · 2020-07-08 10:55:01 +02:00 · 815ceae45c
commit 815ceae45c
parent 8e8a642e5a
2 changed files with 40 additions and 0 deletions
--- a/config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/web/servlet/HeadersDsl.kt
@ -40,6 +40,7 @@ class HeadersDsl {
    private var contentSecurityPolicy: ((HeadersConfigurer<HttpSecurity>.ContentSecurityPolicyConfig) -> Unit)? = null
    private var referrerPolicy: ((HeadersConfigurer<HttpSecurity>.ReferrerPolicyConfig) -> Unit)? = null
    private var featurePolicyDirectives: String? = null
+    private var disabled = false

    var defaultsDisabled: Boolean? = null

@ -161,6 +162,15 @@ class HeadersDsl {
        this.featurePolicyDirectives = policyDirectives
    }

+    /**
+     * Disable all HTTP security headers.
+     *
+     * @since 5.4
+     */
+    fun disable() {
+        disabled = true
+    }
+
    internal fun get(): (HeadersConfigurer<HttpSecurity>) -> Unit {
        return { headers ->
            defaultsDisabled?.also {
@ -195,6 +205,9 @@ class HeadersDsl {
            featurePolicyDirectives?.also {
                headers.featurePolicy(featurePolicyDirectives)
            }
+            if (disabled) {
+                headers.disable()
+            }
        }
    }
 }
--- a/config/src/test/kotlin/org/springframework/security/config/web/servlet/HeadersDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/web/servlet/HeadersDslTests.kt
@ -91,4 +91,31 @@ class HeadersDslTests {
            }
        }
    }
+
+    @Test
+    fun `request when headers disabled then no security headers are in the response`() {
+        this.spring.register(HeadersDisabledConfig::class.java).autowire()
+
+        this.mockMvc.get("/")
+                .andExpect {
+                    header { doesNotExist(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS) }
+                    header { doesNotExist(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS) }
+                    header { doesNotExist(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY) }
+                    header { doesNotExist(HttpHeaders.CACHE_CONTROL) }
+                    header { doesNotExist(HttpHeaders.EXPIRES) }
+                    header { doesNotExist(HttpHeaders.PRAGMA) }
+                    header { doesNotExist(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION) }
+                }
+    }
+
+    @EnableWebSecurity
+    open class HeadersDisabledConfig : WebSecurityConfigurerAdapter() {
+        override fun configure(http: HttpSecurity) {
+            http {
+                headers {
+                    disable()
+                }
+            }
+        }
+    }
 }