SEC-2846: Security HTTP Response Headers Configuration Cleanup

[spring-projects-issues]

Rob Winch (Migrated from SEC-2846) said:

Currently the mechanism for customizing HTTP Response Headers has a number of limitations. For example, if one wants to include all default headers but modify the X-Frame-Options to be SAMEORIGIN (i.e. for SockJS support), then they must duplicate a lot of configuration. For example, the Java Config would look like this:

http
    .headers()
        .addHeaderWriter(new XFrameOptionsHeaderWriter(
            XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
        .cacheControl()
        .contentTypeOptions()
        .httpStrictTransportSecurity()
        .xssProtection()

The other issue is that it is not obvious that adding any element will remove all of the default headers. We should strive to be "secure by default".

This change will make it so that the following can be used to include all of the default headers but modify X-Frame-Options to be SAMEORIGIN:

http
    .headers()
        .frameOptions()
          .sameOrigin()
          .and()
        .and()
    ...;

If users really want to disable the default headers it can be done explicitly. For example, the following would only include the "X-Frame-Options: SAMEORIGIN" header:

http
    .headers()
        .defaultsDisabled()
        .frameOptions
            .sameOrigin()
            .and()
        .and()
     ...;

The same configuration in XML:

<http>
    <!-- ... -->

    <headers defaults-disabled="true">
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

One can also disable a single default header. For example, the following will remove the "X-Frame-Options" and keep all of the other defaults:

http
    .headers()
        .frameOptions.disabled()
        .and()
     ...;

The same configuration in XML:

<http>
    <!-- ... -->

    <headers>
        <frame-options disabled="true"/>
    </headers>
</http>

[spring-projects-issues]

This issue supersedes #2718