Page Comparison

...

Parent

Configuration

Required

Default

Type

Description

spring.security.csp

policy

Code Block

default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self' https://login.microsoftonline.com; frame-src 'self' blob:; object-src 'self'; media-src 'self'; frame-ancestors 'self'; form-action 'self' https://login.microsoftonline.com https://outlook.office.com; base-uri 'self'; manifest-src 'self'; worker-src 'self';

String

Content Security Policy.

This setting secures communication between web server and browser against various attacks like XSS, or injections.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

spring.security.cors

allowed-origins

Code Block
http(s)://localhost:<port>

String

CORS Header: Access-Control-Allowed-Origin.

The Browser accepts resources from the allowed origin only. In the default, it will be created from:

${server.ssl.enabled:false} → if true, HTTPS

${server.address}

${server.port}

May be directly overwritten with

spring.security.cors.allowed-origins:

Allowed values are:

* ( Asterisk - from everywhere)
<origin> (one absolute URL)

Example:

Code Block
spring.security.cors.allowed-origins: "*"

spring.security.cors

allowed-headers

Code Block
Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Allowed values are:

*(Asterisk - all Headers)
List<String> (String list, comma seperated)

Example:

Code Block
spring.security.cors.allowed-headers: "*"

spring.security.cors

allowed-headers

Code Block
Access-Control-Allow-Headers, Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Origin, Cache-Control, Content-Type, Authorization

List<String>

CORS Header: Access-Control-Allowed-Headers.

The Headers, that are allowed by the browser. See:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers

Allowed values are:

*(Asterisk - all Headers)
List<String> (String list, comma seperated)

Example:

Code Block
spring.security.cors.allowed-headers: "*"

spring.security.cors

allow-credentials

true

Boolean

CORS Header: Access-Control-Allow-Credentials.

Tell the browser, whether it allowes cross-origin request credentials or not (credentials may be in cookies etc.)

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials

Example:

Code Block
tia.security.cors.allow-credentials: false

spring.security.cors

allow-x-frame-options-from

DENY

String(Enum)

CORS Header: X-Frame-Options.

Tells the browser if it accept the content of the viewer when its embedded in an iFrame.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Info

Hint: This flag is obsolete when using CSP

Code Block
frame-ancestor

Allowed values are:

* (Allow from everywhere)
DENY
SAMEORIGIN
ALLOW-FROM XXXXXX (http-address [origin])

Example:

Code Block
spring.security.cors.allow-x-frame-options-from: "*"

spring.security.xss

mode

disabled

String (Enum)

Cross-Site Protection Header.

Note
Should not be set in Production.

See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

Allowed values are:

block mode
block
disabled

Example:

Code Block
spring.security.xss.mode: block-mode

...

Versions Compared

Old Version 18

New Version 19

Key