From a469f26b1082a5be9482b94fe61834f7802a7317 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Thu, 15 Aug 2013 16:31:43 -0500
Subject: [PATCH] SEC-2230: Polish Headers JavaConfig

---
 .../web/configurers/HeadersConfigurer.java    | 58 +++++++++++++++++--
 1 file changed, 53 insertions(+), 5 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
index 2c69f0465a..a0ea94a2a4 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@@ -29,6 +29,8 @@ import org.springframework.security.web.header.writers.XXssProtectionHeaderWrite
 import org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter;
 import org.springframework.util.Assert;
 
+import com.sun.xml.internal.ws.api.ha.StickyFeature;
+
 /**
  * @author Rob Winch
  * @since 3.2
@@ -55,6 +57,52 @@ public final class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends A
         return this;
     }
 
+    /**
+     * Adds {@link XContentTypeOptionsHeaderWriter}
+     *
+     * @return the {@link HeadersConfigurer} for additional customizations
+     */
+    public HeadersConfigurer<H> contentTypeOptions() {
+        return addHeaderWriter(new XContentTypeOptionsHeaderWriter());
+    }
+
+    /**
+     * Adds {@link XXssProtectionHeaderWriter}. Note this is not comprehensive
+     * XSS protection!
+     *
+     * @return the {@link HeadersConfigurer} for additional customizations
+     */
+    public HeadersConfigurer<H> xssProtection() {
+        return addHeaderWriter(new XContentTypeOptionsHeaderWriter());
+    }
+
+    /**
+     * Adds {@link CacheControlHeadersWriter}.
+     *
+     * @return the {@link HeadersConfigurer} for additional customizations
+     */
+    public HeadersConfigurer<H> cacheControl() {
+        return addHeaderWriter(new CacheControlHeadersWriter());
+    }
+
+    /**
+     * Adds {@link HstsHeaderWriter}.
+     *
+     * @return the {@link HeadersConfigurer} for additional customizations
+     */
+    public HeadersConfigurer<H> httpStrictTransportSecurity() {
+        return addHeaderWriter(new HstsHeaderWriter());
+    }
+
+    /**
+     * Adds {@link XFrameOptionsHeaderWriter} with all the default settings.
+     *
+     * @return the {@link HeadersConfigurer} for additional customizations
+     */
+    public HeadersConfigurer<H> frameOptions() {
+        return addHeaderWriter(new XFrameOptionsHeaderWriter());
+    }
+
     @Override
     public void configure(H http) throws Exception {
         HeaderWriterFilter headersFilter = createHeaderWriterFilter();
@@ -89,10 +137,10 @@ public final class HeadersConfigurer<H extends HttpSecurityBuilder<H>> extends A
      *
      */
     private void addDefaultHeaderWriters() {
-        headerWriters.add(new XContentTypeOptionsHeaderWriter());
-        headerWriters.add(new XXssProtectionHeaderWriter());
-        headerWriters.add(new CacheControlHeadersWriter());
-        headerWriters.add(new HstsHeaderWriter());
-        headerWriters.add(new XFrameOptionsHeaderWriter());
+        contentTypeOptions();
+        xssProtection();
+        cacheControl();
+        httpStrictTransportSecurity();
+        frameOptions();
     }
 }
\ No newline at end of file