Provide an easy method to disable all secure-headers · spring-cloud/spring-cloud-gateway#2932

(1 comment) (0 reactions) (0 assignees)Java (4,284 stars) (3,204 forks)batch import

enhancementhelp wanted

Description

Is your feature request related to a problem? Please describe. Some users want to disable all secure-headers, but the current method requires listing all headers one by one, which is not trivial and not complete in case that in some future a new header is added. Even if that possibility is remote.

Describe the solution you'd like I'd like to be able to disable all in a concise way, my proposal is to provide an all flag like.

spring.cloud.gateway.filter.secure-headers.disable=all

This should not overlap with any other secure header, or just to be sure and make uses well aware of the implications, we could use all-headers.

Describe alternatives you've considered The feature is already possible, as exposed, this is a matter of convenience and future-proof.

Additional context n/a

Contributor guide

Tech stack: java
Domain: backendsecurity
Issue type: feature
Difficulty: 3
Estimated time: 1-3 hours
Activity status: fresh
Clarity: clear
Prerequisites: basic knowledge of Spring Cloud Gateway configuration
Newbie friendliness: 40
Research direction: Examine the SecureHeadersGatewayFilterFactory class in the spring cloud gateway repository. The current configuration allows disabling individual headers via properties like `spring.cloud.gateway.filter.secure headers.disable`. To implement this feature, you would need to add support for a special value like 'all' or 'all headers' that disables all secure headers. Check how the disable property is parsed and processed in the filter factory. Consider looking at the corresponding test files for guidance on existing behavior.