Class SecurityHeaders

java.lang.Object
cloud.opencode.base.web.security.SecurityHeaders
public final class SecurityHeaders extends Object
Security Headers - HTTP Security Response Headers Builder 安全头部 - HTTP 安全响应头部构建器

Provides a builder-pattern API for constructing a set of HTTP security response headers. Supports modern best-practice headers including Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and Cross-Origin policies.

提供构建器模式 API 用于构建一组 HTTP 安全响应头部。支持现代最佳实践头部, 包括 Content-Security-Policy、Strict-Transport-Security、X-Frame-Options 和跨域策略。

Features | 主要功能:

  • Fluent builder API for all security headers - 所有安全头部的流式构建器 API
  • Preset configurations (strict, standard) - 预设配置(严格、标准)
  • Apply to HttpHeaders or export as Map - 应用到 HttpHeaders 或导出为 Map
  • Type-safe enums for X-Frame-Options and Referrer-Policy - X-Frame-Options 和 Referrer-Policy 类型安全枚举

Usage Examples | 使用示例:

// Strict preset
SecurityHeaders headers = SecurityHeaders.strict();

// Standard preset
SecurityHeaders headers = SecurityHeaders.standard();

// Custom configuration
SecurityHeaders headers = SecurityHeaders.builder()
    .contentSecurityPolicy("default-src 'self'")
    .strictTransportSecurity(31536000, true)
    .xFrameOptions(SecurityHeaders.FrameOption.DENY)
    .xContentTypeOptions()
    .xXssProtection()
    .referrerPolicy(SecurityHeaders.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN)
    .build();

// Apply to HttpHeaders
HttpHeaders httpHeaders = HttpHeaders.of();
headers.applyTo(httpHeaders);

// Export as Map
Map<String, String> map = headers.toMap();

Security | 安全性:

  • Thread-safe: Yes (immutable) - 是(不可变)
  • Null-safe: Builder rejects null arguments - 构建器拒绝 null 参数
Since:
JDK 25, opencode-base-web V1.0.3
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Method Details

    • builder

      public static SecurityHeaders.Builder builder()
      Creates a new builder. 创建新的构建器。
      Returns:
      a new Builder - 新的构建器

    • strict

      public static SecurityHeaders strict()
      Creates a strict security headers configuration with the most restrictive settings. 创建具有最严格设置的安全头部配置。

      Includes: DENY frame options, nosniff, no-referrer, strict CSP, HSTS with 1 year max-age and includeSubDomains, XSS protection disabled (modern best practice), and strict cross-origin policies.

      包含:DENY 框架选项、nosniff、no-referrer、严格 CSP、 1 年 max-age 和 includeSubDomains 的 HSTS、禁用 XSS 保护(现代最佳实践)、 以及严格的跨域策略。

      Returns:
      strict SecurityHeaders - 严格的 SecurityHeaders

    • standard

      public static SecurityHeaders standard()
      Creates a standard security headers configuration suitable for most applications. 创建适用于大多数应用程序的标准安全头部配置。

      Includes: SAMEORIGIN frame options, nosniff, strict-origin-when-cross-origin referrer, HSTS with 1 year max-age, and XSS protection disabled (modern best practice).

      包含:SAMEORIGIN 框架选项、nosniff、strict-origin-when-cross-origin referrer、 1 年 max-age 的 HSTS、以及禁用 XSS 保护(现代最佳实践)。

      Returns:
      standard SecurityHeaders - 标准的 SecurityHeaders

    • applyTo

      public void applyTo(HttpHeaders httpHeaders)
      Applies all security headers to the given HttpHeaders. 将所有安全头部应用到给定的 HttpHeaders。
      Parameters:
      httpHeaders - the headers to apply to - 要应用的头部

    • toMap

      public Map<String,String> toMap()
      Returns an unmodifiable map of all security headers. 返回所有安全头部的不可修改 Map。
      Returns:
      unmodifiable headers map - 不可修改的头部 Map

    • toString

      public String toString()
      Overrides:
      toString in class Object