Hi,
How can we add HSTS Security Header in our jmix application in the right way?
Hi,
You may try to implement security configuration extension in your application and add required settings there.
It may look like this:
import io.jmix.security.StandardSecurityConfiguration;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.stereotype.Component;
@Component
@Qualifier(StandardSecurityConfiguration.SECURITY_CONFIGURER_QUALIFIER)
public class MySecurityConfigurer extends AbstractHttpConfigurer<MySecurityConfigurer, HttpSecurity> {
@Override
public void configure(HttpSecurity http) throws Exception {
http.headers(headers -> {
headers.httpStrictTransportSecurity(hsts ->
hsts.maxAgeInSeconds(31536000)
.includeSubDomains(true));
});
}
}
See explanation in What’s new section.