使用Spring Boot应用程序启用HTTP Strict Transport Security(HSTS) [英] Enable HTTP Strict Transport Security (HSTS) with spring boot application

查看:307
本文介绍了使用Spring Boot应用程序启用HTTP Strict Transport Security(HSTS)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我关注了 https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/html/headers.html#headers-hsts 启用HSTS标头我的春季启动应用程序.尽管进行了必要的更改,但Strict-Transport-Security标头并未出现在响应中.

I have followed the article https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/html/headers.html#headers-hsts to enable HSTS header on my spring boot application. Despite of making the required changes, Strict-Transport-Security header is not appearing the response.

pom.xml(依赖项) 

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
    </dependency>
</dependencies>

WebSecurityConfig.java 

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .headers()
            .httpStrictTransportSecurity()
                .includeSubDomains(true)
                .maxAgeInSeconds(31536000);
    }
}

标题列表: 

cache-control →no-cache, no-store, max-age=0, must-revalidate
content-language →en-GB
content-type →text/html;charset=UTF-8
date →Thu, 24 May 2018 14:10:29 GMT
expires →0
pragma →no-cache
transfer-encoding →chunked
x-application-context →application:9000
x-content-type-options →nosniff
x-frame-options →SAMEORIGIN
x-xss-protection →1; mode=block

我想念什么吗?

推荐答案

根据RFC6797,HSTS标头仅注入HTTPS响应中.

In accordance with RFC6797, the HSTS header is only injected into HTTPS responses.

来源: https ://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/htmlsingle/#headers-hsts

这篇关于使用Spring Boot应用程序启用HTTP Strict Transport Security(HSTS)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆