Question

I added zuul: ignoreSecurityHeaders: false

It enabled headers: Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 997 Content-Type: application/json;charset=UTF-8 Date: Mon, 06 Jan 2020 19:01:53 GMT Expires: 0 Pragma: no-cache Strict-Transport-Security: max-age=31536000 ; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY

Issue

I want to change the X-Frame-Options: SAMEORIGIN Also I want to add new headers: Referrer-Policy: same-origin X-Content-Security-Policy: script-src 'self'

but I am unable to add those using: http.headers().frameOptions().sameOrigin();

http.headers().addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"));

http.headers().referrerPolicy(ReferrerPolicy.SAME_ORIGIN);

How to fix this?

Comment From: spencergibb

I'm afraid your code provides no context to what is or where it is run.

Can you provide a complete, minimal, verifiable sample that reproduces the problem? It should be available as a GitHub (or similar) project or attached to this issue as a zip file.

Comment From: bawlochoro

my application is zuul gateway server which is using spring-boot and spring-cloud-started-zuul. I am using:

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.header.writers.StaticHeadersWriter;
import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter.ReferrerPolicy;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().httpStrictTransportSecurity().includeSubDomains(true).maxAgeInSeconds(31536000);

        http.headers().frameOptions().sameOrigin();

        http.headers().addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","script-src 'self'"));

        http.headers().referrerPolicy(ReferrerPolicy.SAME_ORIGIN);
    }
}

But it's not adding/overriding above headers.

Comment From: spencergibb

Please learn how to properly format code and logs.

Comment From: spencergibb

I'm unsure what spring security code above has to do with zuul. If you want to modify response headers from zuul you'll need to write a zuul filter.

Comment From: bawlochoro

Thanks a lot @spencergibb. If you want to learn how to reply professionally and properly, https://www.google.com/search?q=how+to+reply+professionally+and+properly&oq=how+to+reply+professionally+and+properl&aqs=chrome.1.69i57j33.12891j0j1&sourceid=chrome&ie=UTF-8