Enable HTTP Strict Transport Security (HSTS) with spring boot application

java spring spring-boot spring-security hsts
kk. picture kk. · May 24, 2018 · Viewed 21.8k times · Source

I have followed the article https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/html/headers.html#headers-hsts to enable HSTS header on my spring boot application. Despite of making the required changes, Strict-Transport-Security header is not appearing the response.

pom.xml (dependencies)

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-test</artifactId>
        <scope>test</scope>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
    </dependency>
</dependencies>

WebSecurityConfig.java

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .headers()
            .httpStrictTransportSecurity()
                .includeSubDomains(true)
                .maxAgeInSeconds(31536000);
    }
}

List of headers:

cache-control →no-cache, no-store, max-age=0, must-revalidate
content-language →en-GB
content-type →text/html;charset=UTF-8
date →Thu, 24 May 2018 14:10:29 GMT
expires →0
pragma →no-cache
transfer-encoding →chunked
x-application-context →application:9000
x-content-type-options →nosniff
x-frame-options →SAMEORIGIN
x-xss-protection →1; mode=block

Am I missing anything?

Answer

David Balažic picture David Balažic · Nov 28, 2018

In accordance with RFC6797, the HSTS header is only injected into HTTPS responses.

Source: https://docs.spring.io/spring-security/site/docs/4.0.2.RELEASE/reference/htmlsingle/#headers-hsts

Related questions

disabling spring security in spring boot app

I have a spring boot web app with spring security configured. I want to disable authentication for a while (until needed). I add this to the application.properties: security.basic.enable: false management.security.enabled: false Here is some part …

Read More
How to disable 'X-Frame-Options' response header in Spring Security?

I have CKeditor on my jsp and whenever I upload something, the following error pops out: Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'. …

Read More
Remove "Using default security password" on Spring Boot

I added one custom Security Config in my application on Spring Boot, but the message about "Using default security password" is still there in LOG file. Is there any to remove it? I do not need this default password. It …

Read More