Java + Spring Boot: I am trying to add CacheControl header to ResponseEntity
TL;DR
Just add the following to your application.properties
:
security.headers.cache=false
More Details
As Spring Security documentation states:
Spring Security allows users to easily inject the default security headers to assist in protecting their application. The default for Spring Security is to include the following headers:
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
now I get 2 CacheControl headers in my response
One of them is provided by Spring Security. If you don't like them, you can disable the default Cache-Control
headers in your WebSecurityConfigurerAdapter
:
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
// Other configurations
@Override
protected void configure(HttpSecurity http) throws Exception {
http
// Other configurations
.headers()
.cacheControl().disable();
}
}
Since you're using Spring Boot, you can achieve the same using the security.headers.*
properties. In order to disable that default Cache-Control
header, just add the following to your application.properties
:
security.headers.cache=false
Also, more idiomatic way of adding Cache-Control
headers is to use the new cacheControl
builder:
ResponseEntity.ok()
.cacheControl(CacheControl.maxAge(600, TimeUnit.SECONDS))
.body(body);
user3742622
Updated on June 12, 2022Comments
-
user3742622 almost 2 years
I am not so good in Java + Spring, but I'd like to add
Cache-Control
header to myResponseEntity
.@RequestMapping(value = "/data/{id}", method = GET") public ResponseEntity<String> getData(@PathVariable("id") String id) { try { ... HttpHeaders headers = new HttpHeaders(); headers.setCacheControl("max-age=600"); return new ResponseEntity<String>(body, headers, HttpStatus.OK); } }
I added two lines of code for
HttpHeaders
and now I get twoCache-Control
headers in my response:HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000 ; includeSubDomains Cache-Control: max-age=600 Content-Type: application/json;charset=UTF-8 Content-Length: 18223 Date: Wed, 29 Jun 2016 21:56:57 GMT
What did I do wrong?
-
Antonio about 7 yearsgreat, this worked for me too. For some reason the
security.headers.cache=false
thing did not affect the results, however explicitly extending theWebSecurityConfigurerAdapter
did the trick. Now I have my controllers explicitly declaring their caching policy. Great hint.