Can't set the Strict-Transport-Security header in Spring Boot

Question

I am trying to set Strict Transport Security header to my Spring Webflow App.

This is the code that I have written to set the response header

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        
        http.headers()
            .httpStrictTransportSecurity()
            .includeSubDomains(true).maxAgeInSeconds(31536000).and()
            .cacheControl().disable()
            .frameOptions().disable();       
    }
}

Now, I am checking the response headers for the urls and although the other two headers (cache-control and frame-options) are being set, but I am not seeing Strict Transport Security header anywhere.

Thank you

Are you testing with HTTPS? https://stackoverflow.com/questions/50511702/enable-http-strict-transport-security-hsts-with-spring-boot-application — Aritz, Sep 15 '20 at 16:35

score 0 · Answer 1 · answered Jun 02 '22 at 16:49

The default RequestMatcher used in HstsConfig is checking if a request is HTTPS HttpServletRequest.isSecure(). If it's not working for you due to some reasons, you can use another matcher.

The code below ensures that the Strict-Transport-Security header is set in all responses:

    http.headers()
          .httpStrictTransportSecurity()
          .requestMatcher(AnyRequestMatcher.INSTANCE)
          ...

Can't set the Strict-Transport-Security header in Spring Boot

1 Answers1