Skip to content

Commit 7e3ede3

Browse files
committed
docs: Document securityHeadersDecorator in README
1 parent dadd983 commit 7e3ede3

1 file changed

Lines changed: 18 additions & 0 deletions

File tree

README.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -364,6 +364,24 @@ OpenApiServer.builder()
364364
.build();
365365
```
366366

367+
#### Built-in: browser security headers
368+
369+
`Handlers.securityHeadersDecorator()` adds two browser-hardening headers to every response —
370+
`X-Content-Type-Options: nosniff` and `Cross-Origin-Resource-Policy: same-origin`. Handler-supplied
371+
values for either header are preserved, so individual responses can opt out by setting the header
372+
explicitly.
373+
374+
``` java
375+
OpenApiServer.builder()
376+
.spec(spec)
377+
.handlers(handlers)
378+
.responseDecorator(Handlers.securityHeadersDecorator())
379+
.build();
380+
```
381+
382+
Decorators run on the dispatch path only — error responses produced by `ExceptionFilter` (e.g.
383+
the default 500) bypass them.
384+
367385
### Request interceptors
368386

369387
`Builder.interceptor(...)` registers a `RequestInterceptor` that wraps every handler invocation.

0 commit comments

Comments
 (0)