Some authorizers only apply on the web context:

1) CORS

• CorsAuthorizer defines how CORS requests are authorized via the Access-Control-* response headers

2) CSRF

• CsrfTokenGeneratorAuthorizer generates a CSRF token based on a provided CsrfTokenGenerator and adds it to the current request (pac4jCsrfToken attribute) and saves it in the pac4jCsrfToken cookie

• CsrfAuthorizer check sthat the web context has the appropriate CSRF token in order to protect against CSRF attacks. Using the DefaultCsrfTokenGenerator or the csrfToken authorizer, you can get the CSRF token and send it as a parameter or as a header. The CsrfAuthorizer checks that the request is a POST and has a CSRF token (found in a parameter or header)

3) Security headers

• XFrameOptionsHeader checks that the website is not called in a Iframe

• XSSProtectionHeader protects against XSS attacks

• XContentTypeOptionsHeader prevents the browser from doing MIME-type sniffing

• StrictTransportSecurityHeader enforces the browser that it should only be communicated with using HTTPS

• CacheControlHeader enforces the browser that it should only be communicated with using HTTPS

4) Others

• IpRegexpAuthorizer checks the incoming IP address

• CheckHttpMethodAuthorizer checks that the request was performed with the appropriate HTTP method