Bumping versions

spring-builds · spring-builds · commit b883487f722d · 2025-04-08T18:55:11.000Z
diff --git a/docs/modules/ROOT/partials/_configprops.adoc b/docs/modules/ROOT/partials/_configprops.adoc
@@ -49,10 +49,14 @@
 |spring.cloud.gateway.filter.save-session.enabled | `+++true+++` | Enables the save-session filter.
 |spring.cloud.gateway.filter.secure-headers.content-security-policy | `+++default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src https:; style-src 'self' https: 'unsafe-inline'+++` | 
 |spring.cloud.gateway.filter.secure-headers.content-type-options | `+++nosniff+++` | 
+|spring.cloud.gateway.filter.secure-headers.default-headers |  | 
 |spring.cloud.gateway.filter.secure-headers.disable |  | 
+|spring.cloud.gateway.filter.secure-headers.disabled-headers |  | 
 |spring.cloud.gateway.filter.secure-headers.download-options | `+++noopen+++` | 
 |spring.cloud.gateway.filter.secure-headers.enabled | `+++true+++` | Enables the secure-headers filter.
+|spring.cloud.gateway.filter.secure-headers.enabled-headers |  | 
 |spring.cloud.gateway.filter.secure-headers.frame-options | `+++DENY+++` | 
+|spring.cloud.gateway.filter.secure-headers.permissions-policy | `+++accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()+++` | 
 |spring.cloud.gateway.filter.secure-headers.permitted-cross-domain-policies | `+++none+++` | 
 |spring.cloud.gateway.filter.secure-headers.referrer-policy | `+++no-referrer+++` | 
 |spring.cloud.gateway.filter.secure-headers.strict-transport-security | `+++max-age=631138519+++` | 
diff --git a/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactory.java b/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactory.java
@@ -83,7 +83,6 @@ public class SecureHeadersGatewayFilterFactory
 	 */
 	public static final String X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER = SecureHeadersProperties.X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER;
 
-
 	private final SecureHeadersProperties properties;
 
 	public SecureHeadersGatewayFilterFactory(SecureHeadersProperties properties) {
@@ -106,8 +105,9 @@ public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
 				Set<String> headersToAddToResponse = assembleHeaders(originalConfig, properties);
 
 				Config config = originalConfig.withDefaults(properties);
-				return chain.filter(exchange).then(Mono.fromRunnable(() ->
-						applySecurityHeaders(responseHeaders, headersToAddToResponse, config)));
+				return chain.filter(exchange)
+					.then(Mono
+						.fromRunnable(() -> applySecurityHeaders(responseHeaders, headersToAddToResponse, config)));
 			}
 
 			@Override
@@ -120,36 +120,32 @@ public String toString() {
 	/**
 	 * Applies security headers to the response using the given filter configuration.
 	 * @param responseHeaders - the http headers of the response
-	 * @param headersToAddToResponse - the security headers that are to be added to the response
+	 * @param headersToAddToResponse - the security headers that are to be added to the
+	 * response
 	 * @param config - the security filter configuration
 	 */
 	private void applySecurityHeaders(HttpHeaders responseHeaders, Set<String> headersToAddToResponse, Config config) {
 
-		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
-				SecureHeadersProperties.X_XSS_PROTECTION_HEADER, config.getXssProtectionHeaderValue());
+		addHeaderIfEnabled(responseHeaders, headersToAddToResponse, SecureHeadersProperties.X_XSS_PROTECTION_HEADER,
+				config.getXssProtectionHeaderValue());
 
 		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
 				SecureHeadersProperties.STRICT_TRANSPORT_SECURITY_HEADER,
 				config.getStrictTransportSecurityHeaderValue());
 
-		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
-				SecureHeadersProperties.X_FRAME_OPTIONS_HEADER,
+		addHeaderIfEnabled(responseHeaders, headersToAddToResponse, SecureHeadersProperties.X_FRAME_OPTIONS_HEADER,
 				config.getFrameOptionsHeaderValue());
 
 		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
-				SecureHeadersProperties.X_CONTENT_TYPE_OPTIONS_HEADER,
-				config.getContentTypeOptionsHeaderValue());
+				SecureHeadersProperties.X_CONTENT_TYPE_OPTIONS_HEADER, config.getContentTypeOptionsHeaderValue());
 
-		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
-				SecureHeadersProperties.REFERRER_POLICY_HEADER,
+		addHeaderIfEnabled(responseHeaders, headersToAddToResponse, SecureHeadersProperties.REFERRER_POLICY_HEADER,
 				config.getReferrerPolicyHeaderValue());
 
 		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
-				SecureHeadersProperties.CONTENT_SECURITY_POLICY_HEADER,
-				config.getContentSecurityPolicyHeaderValue());
+				SecureHeadersProperties.CONTENT_SECURITY_POLICY_HEADER, config.getContentSecurityPolicyHeaderValue());
 
-		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
-				SecureHeadersProperties.X_DOWNLOAD_OPTIONS_HEADER,
+		addHeaderIfEnabled(responseHeaders, headersToAddToResponse, SecureHeadersProperties.X_DOWNLOAD_OPTIONS_HEADER,
 				config.getDownloadOptionsHeaderValue());
 
 		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
@@ -164,15 +160,14 @@ private void applySecurityHeaders(HttpHeaders responseHeaders, Set<String> heade
 			}
 		}
 
-		addHeaderIfEnabled(responseHeaders, headersToAddToResponse,
-				SecureHeadersProperties.PERMISSIONS_POLICY_HEADER,
+		addHeaderIfEnabled(responseHeaders, headersToAddToResponse, SecureHeadersProperties.PERMISSIONS_POLICY_HEADER,
 				permissionPolicyHeaderValue);
 	}
 
 	/**
-	 * Assembles the set of security headers that are to be applied to the response
-	 * - When route specific arguments are set, route specific headers are applied.
-	 * - When no route specific arguments are set, global default headers are applied.
+	 * Assembles the set of security headers that are to be applied to the response - When
+	 * route specific arguments are set, route specific headers are applied. - When no
+	 * route specific arguments are set, global default headers are applied.
 	 * @param config - the global / route configuration supplied
 	 * @param properties - default security headers configuration provided
 	 * @return set of security headers that are to be added to the response
@@ -190,8 +185,8 @@ private Set<String> assembleHeaders(Config config, SecureHeadersProperties prope
 		return headersToAddToResponse;
 	}
 
-
-	private void addHeaderIfEnabled(HttpHeaders headers, Set<String> headersToAdd, String headerName, String headerValue) {
+	private void addHeaderIfEnabled(HttpHeaders headers, Set<String> headersToAdd, String headerName,
+			String headerValue) {
 		if (headersToAdd.contains(headerName.toLowerCase(Locale.ROOT))) {
 			headers.addIfAbsent(headerName, headerValue);
 		}
@@ -362,7 +357,9 @@ public void setPermissionPolicyHeaderValue(String permissionPolicyHeaderValue) {
 		void setEnable(Set<String> enable) {
 			if (enable != null) {
 				this.routeFilterConfigProvided = true;
-				this.routeEnabledHeaders = enable.stream().map(String::toLowerCase).collect(Collectors.toUnmodifiableSet());
+				this.routeEnabledHeaders = enable.stream()
+					.map(String::toLowerCase)
+					.collect(Collectors.toUnmodifiableSet());
 			}
 		}
 
@@ -379,7 +376,9 @@ Set<String> getRouteEnabledHeaders() {
 		void setDisable(Set<String> disable) {
 			if (disable != null) {
 				this.routeFilterConfigProvided = true;
-				this.routeDisabledHeaders = disable.stream().map(String::toLowerCase).collect(Collectors.toUnmodifiableSet());
+				this.routeDisabledHeaders = disable.stream()
+					.map(String::toLowerCase)
+					.collect(Collectors.toUnmodifiableSet());
 			}
 		}
 
diff --git a/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersProperties.java b/spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersProperties.java
@@ -126,11 +126,10 @@ public class SecureHeadersProperties {
 			+ "navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), "
 			+ "screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()";
 
-
 	/**
-	 * Default constructor for {@link SecureHeadersProperties}.
-	 * Initializes the `defaultHeaders` set with a predefined list of security headers.
-	 * The headers are transformed to lowercase for case-insensitive comparison.
+	 * Default constructor for {@link SecureHeadersProperties}. Initializes the
+	 * `defaultHeaders` set with a predefined list of security headers. The headers are
+	 * transformed to lowercase for case-insensitive comparison.
 	 **/
 	public SecureHeadersProperties() {
 
@@ -249,8 +248,8 @@ public List<String> getDisable() {
 	}
 
 	/**
-	 * Binds the list of default/opt-out header names to disable, transforms them into a lowercase set.
-	 * This is to ensure case-insensitive comparison.
+	 * Binds the list of default/opt-out header names to disable, transforms them into a
+	 * lowercase set. This is to ensure case-insensitive comparison.
 	 * @param disable - list of default/opt-out header names to disable
 	 */
 	public void setDisable(List<String> disable) {
@@ -267,8 +266,8 @@ public Set<String> getEnabledHeaders() {
 	}
 
 	/**
-	 * Binds the list of default/opt-out header names to enable, transforms them into a lowercase set.
-	 * This is to ensure case-insensitive comparison.
+	 * Binds the list of default/opt-out header names to enable, transforms them into a
+	 * lowercase set. This is to ensure case-insensitive comparison.
 	 * @param enable - list of default/opt-out header enable
 	 */
 	public void setEnable(List<String> enable) {
diff --git a/spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactoryTests.java b/spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactoryTests.java
@@ -49,10 +49,10 @@
 public class SecureHeadersGatewayFilterFactoryTests extends BaseWebClientTests {
 
 	/**
-	* This test ensures that the response includes a set of default security headers,
-	* which are defined in {@link SecureHeadersProperties}. It also confirms that the
-	* opt-in "Permissions-Policy" header is not included in the response.
-	*/
+	 * This test ensures that the response includes a set of default security headers,
+	 * which are defined in {@link SecureHeadersProperties}. It also confirms that the
+	 * opt-in "Permissions-Policy" header is not included in the response.
+	 */
 	@Test
 	public void secureHeadersFilterWorks() {
 		Mono<ClientResponse> result = webClient.get()
diff --git a/spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactoryUnitTests.java b/spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/filter/factory/SecureHeadersGatewayFilterFactoryUnitTests.java
@@ -242,7 +242,8 @@ public void applyCompositionWithDisabledHeadersAndPermissionPolicy() {
 	@Test
 	public void overrideDefaultInSecurityPropertiesWhenRouteConfigIsProvided() {
 
-		SecureHeadersGatewayFilterFactory filterFactory = new SecureHeadersGatewayFilterFactory(new SecureHeadersProperties());
+		SecureHeadersGatewayFilterFactory filterFactory = new SecureHeadersGatewayFilterFactory(
+				new SecureHeadersProperties());
 
 		Config config = new Config();
 		config.setDisable(Set.of("strict-transport-security"));
@@ -256,8 +257,7 @@ public void overrideDefaultInSecurityPropertiesWhenRouteConfigIsProvided() {
 		ServerHttpResponse response = exchange.getResponse();
 		assertThat(response.getHeaders()).containsOnlyKeys(X_XSS_PROTECTION_HEADER, X_FRAME_OPTIONS_HEADER,
 				X_CONTENT_TYPE_OPTIONS_HEADER, REFERRER_POLICY_HEADER, CONTENT_SECURITY_POLICY_HEADER,
-				X_DOWNLOAD_OPTIONS_HEADER, X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER,
-				PERMISSIONS_POLICY_HEADER);
+				X_DOWNLOAD_OPTIONS_HEADER, X_PERMITTED_CROSS_DOMAIN_POLICIES_HEADER, PERMISSIONS_POLICY_HEADER);
 		assertThat(response.getHeaders().get(PERMISSIONS_POLICY_HEADER)).containsExactly("camera=*");
 	}
 
