Spring Security Could not disable HTTP Strict Transport Security (HSTS) for TokenEndpoint /oauth/token

Hello All,

I am using Spring Security version 3.2.3.RELEASE and Spring Security Oauth2 version 2.0.9.RELEASE It seems that we could not disable HSTS header in default end point /oauth/token of spring oauth2 with the below source code.

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
            // ...
            .headers()
                .httpStrictTransportSecurity().disable();
        }
}

Anyone can help me ?

Thank you so much, Tin

Comment From: rwinch

If you curl the application over HTTPS, do you see:

Strict-Transport-Security: max-age=31536000 ; includeSubDomains

Comment From: TinCongHuynh

yes, I do. For other APIs which I defines, I don't see Strict Transport Security header. But the default API /oauth/token of Spring Oauth2 still includes this header

Comment From: rwinch

Thanks for the response. Given the information you have provided I am unable to reproduce this. See https://github.com/rwinch/gh-4099

Can you come up with a sample that reproduces the problem?

Comment From: zymen

Hi,

I think I was able to reproduce problem mentioned in this issue: https://github.com/zymen/spring-security-oauth-hsts-poc

Request to any of oauth2 endpoints generates hsts header. I expect it should not happen. Request to /test endpoint doesn't have such header.

Cheers,

Comment From: zidjian257

I just ran into the same issue, so it still exists. My workaround for this was writing a filter that prevents setting the hsts header as posted here http://stackoverflow.com/a/43055373/1878727

Comment From: binakot

Same problem. Try to disable HSTS on my OAuth2 server. Next code doesn't do anything.

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
            .headers()
                .httpStrictTransportSecurity().disable();
    }
}

Now I must to use this hotfix:

@Component
public class HstsHeaderPreventionFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(final HttpServletRequest request, final HttpServletResponse response, final FilterChain filterChain)
        throws ServletException, IOException {

        filterChain.doFilter(request, new HttpServletResponseWrapper(response) {
            public void setHeader(final String name, final String value) {
                if (!name.equalsIgnoreCase("Strict-Transport-Security")) {
                    super.setHeader(name, value);
                }
            }
        });
    }
}

Comment From: rwinch

You must disable httpStrictTransportSecurity in the same HttpSecurity instance that OAuth is using. To do this, you can replace @EnableAuthorizationServer with something like this:

@Configuration
@Import(AuthorizationServerEndpointsConfiguration.class)
public class OAuthSecurityConfig extends AuthorizationServerSecurityConfiguration {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.headers().httpStrictTransportSecurity().disable();
    }
}

I sent a pull request with a test and a fix for it. Alternatively, you can refer to the diff.