diff --git a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java index ce5447d073..d5561b9d7f 100644 --- a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java +++ b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigServlet31Tests.java @@ -107,6 +107,7 @@ public class SessionManagementConfigServlet31Tests { loadContext("\n" + " \n" + " \n" + + " \n" + " " + XML_AUTHENTICATION_MANAGER); @@ -132,6 +133,7 @@ public class SessionManagementConfigServlet31Tests { loadContext("\n" + " \n" + " \n" + + " \n" + " " + XML_AUTHENTICATION_MANAGER); diff --git a/docs/manual/src/asciidoc/index.adoc b/docs/manual/src/asciidoc/index.adoc index 824f923253..f787c0f386 100644 --- a/docs/manual/src/asciidoc/index.adoc +++ b/docs/manual/src/asciidoc/index.adoc @@ -3322,23 +3322,9 @@ Spring Security allows users to easily inject the default security headers to as * <> * <> -While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged. For passivity reasons, if you are using Spring Security's XML namespace support, you must explicitly enable the security headers. All of the default headers can be easily added using the <>> element with no child elements: +While each of these headers are considered best practice, it should be noted that not all clients utilize the headers, so additional testing is encouraged. As of Spring Security 4.0, HTTP Security response headers are enabled by default. -[NOTE] -==== -https://jira.springsource.org/browse/SEC-2348[SEC-2348] is logged to ensure Spring Security 4.x's XML namespace configuration will enable Security headers by default. -==== - -[source,xml] ----- - - - - - ----- - -Alternatively, you can choose to explicitly list the headers you wish to include. For example, the following is the same the previous configuration. Removing any of the elements will remove that header from the responses. +Alternatively, you can choose to explicitly list the headers you wish to include. For example, the following is the same the default configuration. Removing any of the elements will remove that header from the responses. [source,xml] ---- @@ -3355,6 +3341,17 @@ Alternatively, you can choose to explicitly list the headers you wish to include ---- +If necessary, you can disable the HTTP Security response headers with the following configuration: + +[source,xml] +---- + + + + + +---- + If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below: [source,java]