In my Spring MVC (5.0.3) application I have added a class SecurityConfig which extends WebSecurityConfigurerAdapter as follows:
My expectation is after browsing http://localhost:2020/webapp/
I will see CSP header in browser's developer console (Network tab). But, nothing related to CSP is added into response header.
I have checked by by applying breaking point at line http.headers().contentSecurityPolicy("script-src 'self'"); and it's hitting one time during context loading.
What's wrong why CSP header is not getting added in response?