I'm new to Java Spring security. I've been able to successfully add some HTTP headers and deploy them via the code I have below.
Once the basic HTTP headers were working, I also added headers for Strict-Transport-Security. It seems to work locally however, once deployed, the value gets overridden.
I've talked to some of our architects and they don't believe that there is anything sitting between this Java app and the browser which might be overwriting/replacing the values. They think it might be something in Spring that is fighting with the code I have here.
Curious if anyone has experience with this and could offer some advice.
I've include some screenshots of what Chrome is showing me for headers.
@Override
public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {
response.setHeader("Content-Security-Policy",
"default-src https: http: 'unsafe-inline' 'unsafe-eval'; " +
"script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
"object-src 'none'; " +
"base-uri 'self'; " +
"frame-ancestors 'self'; " +
"form-action https: http: 'self'; "
);
response.setHeader("Strict-Transport-Security",
"max-age=0; " +
"Cache-Control: no-cache, no-store, must-revalidate, private; " +
"Pragma: no-cache; " +
"Expires: 0; " +
"includeSubDomains"
);
response.setHeader("Upgrade-Insecure-Requests", "1");
response.setHeader("X-Frame-Options", "DENY");
response.setHeader("X-XSS-Protection", "1; mode=block");
response.setHeader("Referrer-Policy", "no-referrer-when-downgrade");
super.postHandle(request, response, handler, modelAndView);
}
}```
[![local deployed changes][1]][1]
[![server deployed changes][2]][2]
[1]: https://i.stack.imgur.com/3LGEd.png
[2]: https://i.stack.imgur.com/8NAMn.png
