Add Referrer-Policy header to default security headers

therepanic · therepanic · commit d1776989edde · 2025-07-23T22:31:51.000+03:00
Closes: gh-13567 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurer.java
@@ -66,6 +66,7 @@
  * Strict-Transport-Security: max-age=31536000 ; includeSubDomains
  * X-Frame-Options: DENY
  * X-XSS-Protection: 0
+ * Referrer-Policy: no-referrer
  * </pre>
  *
  * @author Rob Winch
@@ -75,6 +76,7 @@
  * @author Vedran Pavic
  * @author Ankur Pathak
  * @author Daniel Garnier-Moiroux
+ * @author Andrey Litvitski
  * @since 3.2
  */
 public class HeadersConfigurer<H extends HttpSecurityBuilder<H>>
@@ -266,6 +268,7 @@ public HeadersConfigurer<H> defaultsDisabled() {
 		this.cacheControl.disable();
 		this.hsts.disable();
 		this.frameOptions.disable();
+		this.referrerPolicy.disable();
 		return this;
 	}
 
@@ -968,6 +971,27 @@ public final class ReferrerPolicyConfig {
 		private ReferrerPolicyHeaderWriter writer;
 
 		private ReferrerPolicyConfig() {
+			enable();
+		}
+
+		/**
+		 * Disables Referrer Policy
+		 * @return the {@link HeadersConfigurer} for additional configuration
+		 */
+		public HeadersConfigurer<H> disable() {
+			this.writer = null;
+			return HeadersConfigurer.this;
+		}
+
+		/**
+		 * Ensures the Referrer Policy header is enabled if it is not already.
+		 * @return the {@link ReferrerPolicyConfig} for additional customization
+		 */
+		public ReferrerPolicyConfig enable() {
+			if (this.writer == null) {
+				this.writer = new ReferrerPolicyHeaderWriter();
+			}
+			return this;
 		}
 
 		/**
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfigurationTests.java
@@ -141,11 +141,13 @@ public void getWhenDefaultFilterChainBeanThenDefaultHeadersInResponse() throws E
 				.andExpect(header().string(HttpHeaders.EXPIRES, "0"))
 				.andExpect(header().string(HttpHeaders.PRAGMA, "no-cache"))
 				.andExpect(header().string(HttpHeaders.X_XSS_PROTECTION, "0"))
+				.andExpect(header().string(HttpHeaders.REFERRER_POLICY, "no-referrer"))
 				.andReturn();
 		// @formatter:on
 		assertThat(mvcResult.getResponse().getHeaderNames()).containsExactlyInAnyOrder(
 				HttpHeaders.X_CONTENT_TYPE_OPTIONS, HttpHeaders.X_FRAME_OPTIONS, HttpHeaders.STRICT_TRANSPORT_SECURITY,
-				HttpHeaders.CACHE_CONTROL, HttpHeaders.EXPIRES, HttpHeaders.PRAGMA, HttpHeaders.X_XSS_PROTECTION);
+				HttpHeaders.CACHE_CONTROL, HttpHeaders.EXPIRES, HttpHeaders.PRAGMA, HttpHeaders.X_XSS_PROTECTION,
+				HttpHeaders.REFERRER_POLICY);
 	}
 
 	@Test
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/HeadersConfigurerTests.java
@@ -81,10 +81,12 @@ public void getWhenHeadersConfiguredThenDefaultHeadersInResponse() throws Except
 			.andExpect(header().string(HttpHeaders.EXPIRES, "0"))
 			.andExpect(header().string(HttpHeaders.PRAGMA, "no-cache"))
 			.andExpect(header().string(HttpHeaders.X_XSS_PROTECTION, "0"))
+			.andExpect(header().string(HttpHeaders.REFERRER_POLICY, "no-referrer"))
 			.andReturn();
 		assertThat(mvcResult.getResponse().getHeaderNames()).containsExactlyInAnyOrder(
 				HttpHeaders.X_CONTENT_TYPE_OPTIONS, HttpHeaders.X_FRAME_OPTIONS, HttpHeaders.STRICT_TRANSPORT_SECURITY,
-				HttpHeaders.CACHE_CONTROL, HttpHeaders.EXPIRES, HttpHeaders.PRAGMA, HttpHeaders.X_XSS_PROTECTION);
+				HttpHeaders.CACHE_CONTROL, HttpHeaders.EXPIRES, HttpHeaders.PRAGMA, HttpHeaders.X_XSS_PROTECTION,
+				HttpHeaders.REFERRER_POLICY);
 	}
 
 	@Test
@@ -98,10 +100,12 @@ public void getWhenHeadersConfiguredInLambdaThenDefaultHeadersInResponse() throw
 			.andExpect(header().string(HttpHeaders.EXPIRES, "0"))
 			.andExpect(header().string(HttpHeaders.PRAGMA, "no-cache"))
 			.andExpect(header().string(HttpHeaders.X_XSS_PROTECTION, "0"))
+			.andExpect(header().string(HttpHeaders.REFERRER_POLICY, "no-referrer"))
 			.andReturn();
 		assertThat(mvcResult.getResponse().getHeaderNames()).containsExactlyInAnyOrder(
 				HttpHeaders.X_CONTENT_TYPE_OPTIONS, HttpHeaders.X_FRAME_OPTIONS, HttpHeaders.STRICT_TRANSPORT_SECURITY,
-				HttpHeaders.CACHE_CONTROL, HttpHeaders.EXPIRES, HttpHeaders.PRAGMA, HttpHeaders.X_XSS_PROTECTION);
+				HttpHeaders.CACHE_CONTROL, HttpHeaders.EXPIRES, HttpHeaders.PRAGMA, HttpHeaders.X_XSS_PROTECTION,
+				HttpHeaders.REFERRER_POLICY);
 	}
 
 	@Test
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.java
@@ -65,6 +65,7 @@ public class NamespaceHttpHeadersTests {
 		defaultHeaders.put("Expires", "0");
 		defaultHeaders.put("Pragma", "no-cache");
 		defaultHeaders.put("X-XSS-Protection", "0");
+		defaultHeaders.put("Referrer-Policy", "no-referrer");
 	}
 	public final SpringTestContext spring = new SpringTestContext(this);
 

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ public class NamespaceHttpHeadersTests {`
`65`	`65`	`defaultHeaders.put("Expires", "0");`
`66`	`66`	`defaultHeaders.put("Pragma", "no-cache");`
`67`	`67`	`defaultHeaders.put("X-XSS-Protection", "0");`
	`68`	`+ defaultHeaders.put("Referrer-Policy", "no-referrer");`
`68`	`69`	`}`
`69`	`70`	`public final SpringTestContext spring = new SpringTestContext(this);`
`70`	`71`