11

I am not so good in Java + Spring, but I'd like to add Cache-Control header to my ResponseEntity. 

@RequestMapping(value = "/data/{id}", method = GET")
public ResponseEntity<String> getData(@PathVariable("id") String id) {
    try {
            ...
            HttpHeaders headers = new HttpHeaders();
            headers.setCacheControl("max-age=600");

            return new ResponseEntity<String>(body, headers, HttpStatus.OK);
        }
}

I added two lines of code for HttpHeaders and now I get two Cache-Control headers in my response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Cache-Control: max-age=600
Content-Type: application/json;charset=UTF-8
Content-Length: 18223
Date: Wed, 29 Jun 2016 21:56:57 GMT

What did I do wrong?

Improve this question
2
  • Are you using Spring Security? Commented Jun 30, 2016 at 19:33
  • Yes, my app has basic authentication for reaching REST API. Commented Jun 30, 2016 at 19:42

1 Answer 1

Reset to default
22

TL;DR

Just add the following to your application.properties:

security.headers.cache=false

More Details

As Spring Security documentation states:

Spring Security allows users to easily inject the default security headers to assist in protecting their application. The default for Spring Security is to include the following headers:

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block

now I get 2 CacheControl headers in my response

One of them is provided by Spring Security. If you don't like them, you can disable the default Cache-Control headers in your WebSecurityConfigurerAdapter:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    // Other configurations

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                // Other configurations
                .headers()
                    .cacheControl().disable();
    }
}

Since you're using Spring Boot, you can achieve the same using the security.headers.* properties. In order to disable that default Cache-Control header, just add the following to your application.properties:

security.headers.cache=false

Also, more idiomatic way of adding Cache-Control headers is to use the new cacheControl builder:

ResponseEntity.ok()
              .cacheControl(CacheControl.maxAge(600, TimeUnit.SECONDS))
              .body(body);
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

great, this worked for me too. For some reason the security.headers.cache=false thing did not affect the results, however explicitly extending the WebSecurityConfigurerAdapter did the trick. Now I have my controllers explicitly declaring their caching policy. Great hint.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.