New repo here
Helmet secures your spring webflux apps by setting various HTTP headers.
This is a 1:1 copy of Helmet.js
Add https://jitpack.to to your build tool maven repositories.
More info at reactive helmet jitpack io repository
Add com.github.uvera:helmet-reactive-spring-boot-starter to your dependencies.
Enable following configuration properties
spring-helmet:
reactive:
enable-cross-origin-embedder-policy: true
enable-cross-origin-opener-policy: true
enable-cross-origin-resource-policy: true
enable-origin-agent-cluster: true
enable-referrer-policy: true
enable-strict-transport-security: true
enable-do-not-sniff-mimetype: true
enable-x-dns-prefetch-control: true
enable-x-download-options: true
enable-x-frame-options: true
enable-x-permitted-cross-domain-policies: true
remove-x-powered-by: true
disable-x-xss-protection: true
enable-content-security-policy: trueHelmet works by conditionally autowiring various WebFilter implementations to the filter chain.
You can tweak configuration by the following properties:
spring-helmet:
reactive:
cross-origin-resource-policy: cross_origin
cross-origin-opener-policy: same_origin
referrer-policy: [ no_referrer ]
strict-transport-security-max-age: 15552000
strict-transport-security-include-sub-domains: true
strict-transport-security-preload: false
x-dns-prefetch-control: OFF
x-frame-options: same_origin
x-permitted-cross-domain-policies: none
content-security-policy:
use-default: true
report-only: false
# key value pairs where key: String, value: List<String>
directives: {key: ["value1", "value2"]}