Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Setting security.headers.hsts=none alone causes the HSTS headers to still appear
See original GitHub issueWhen setting security.headers.hsts=none (and only that security.header.* setting) in application.properties SpringBootWebSecurityConfiguration.configureHeaders causes the HstsHeaderWriter to not be added to the HeaderWriter. This seems fine except that by default in Spring Boot, it appears that this is the only header that is enabled by default. Turning off this header leaves no HeaderWriters left.
That means that later on HeadersConfigurer.getHeaderWriters() detects that there are no headers configured and therefore adds the default set of HeaderWriters, which includes contentTypeOptions, xssProtection, cacheControl, frameOptions and HSTS.
It seems wrong to me that if I explicitly turn off HSTS that I still get HSTS headers. Even if there were more headers turned on by default in Spring Boot, if I explicitly turn them all off, I don’t want HeaderConfigurer to come along later and add them back in.
Issue Analytics
- State:
- Created 9 years ago
- Comments:8 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I do not see this problem anymore with Spring Security 4
@bbrouwer @rwinch can we please have some feedback on this issue please?