Missing Spring Security Response Headers since Spring Boot 4.0.3

[nils-christian]

Hi,

We updated from Spring Boot 4.0.2 to 4.0.3 and noted that suddenly response headers were missing. We used a simple demo projected created with the Spring Initializr to test this. A simple security chain adds some headers.

@Bean
SecurityFilterChain securityFilterChain( final HttpSecurity httpSecurity ) {
	return httpSecurity
			.securityMatcher( "/**" )
			.headers( c -> c.contentSecurityPolicy( withDefaults( ) ) )
			.authorizeHttpRequests( a -> a
					.anyRequest( )
					.anonymous( ) )
			.build( );
}

With 4.0.2 we would get the following headers:

HTTP/1.1 200
Last-Modified: Tue, 24 Feb 2026 10:55:17 GMT
Accept-Ranges: bytes
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Content-Type: text/html
Content-Language: de-DE
Content-Length: 23
Date: Tue, 24 Feb 2026 11:00:29 GMT
Keep-Alive: timeout=60
Connection: keep-alive

With 4.0.3 we get the following instead:

HTTP/1.1 200
Last-Modified: Tue, 24 Feb 2026 10:55:17 GMT
Accept-Ranges: bytes
Content-Type: text/html
Content-Language: de-DE
Content-Length: 23
Date: Tue, 24 Feb 2026 11:01:16 GMT
Keep-Alive: timeout=60
Connection: keep-alive

According to the release notes of Spring Framework 7.0.5 there is "Attention Required" due to "Optimize request and response header handling in Spring MVC #36334". However, nowhere is stated what has to be done. It is unclear whether this is missing documentation or something simply broke.

Thank you and best regards

Nils

[bjornharvold]

Just came across this issue. I am facing a similar issue after upgrading to Spring Boot 4.0.3 but I do not know if it's related.

PUTs, POSTs are failing but still saving 🤔.

Screenshots of my error. See the *,* in Access-Control-Allow-Origin and duplicates in access-control-expose-headers . GET does not have duplicate values.

[nawrasNasser]

Also got this issue. It is not clear whether it is a bug or not.
In my case this workaround solved the problem. But there should be a better approach.

http.headers(headers -> headers
    .withObjectPostProcessor(new ObjectPostProcessor<>() {
        @Override
        public <O extends HeaderWriterFilter> O postProcess(O filter) {
            filter.setShouldWriteHeadersEagerly(true);
            return filter;
        }
    })
)

[jhoeller]

As a side note, you could downgrade to Spring Framework 7.0.4 within Spring Boot 4.0.3, setting spring-framework.version accordingly. The headers optimization is only in Spring Framework 7.0.5 which was released just one week after 7.0.4.

[rstoyanchev]

I can confirm the issue. It is indeed related to the changes in #36334. It affects controllers returning a String, but not Objects serialized to JSON. More specifically types of responses where the "Content-Length" is set.

Tomcat closes the response when the number of bytes written match the content length.

In 7.0.4, the content length was written to HttpHeaders (and stored in a map), then the body written, and then the contents of HttpHeaders are propagated to the Servlet response. In 7.0.5, HttpHeaders sets the content length on the Servlet response immediately, and so as the body is written Tomcat notices when all the content is done, and closes.

From there any attempts to write headers, as Spring Security does, are no-ops since the response is committed.

I'm wondering is there a reason for these headers to be written after, and not before?

[rwinch]

It looks like it was an issue in Spring Security which is fixed in the latest SNAPSHOTs. Can you try to see if using Spring Security 7.0.5-SNAPSHOT fixes your issue?

[nils-christian]

Hi @rwinch ,

You mean 7.0.4-SNAPSHOT, right? The latest release of Spring Security is 7.0.3.

In my demo project this seems to solve the header issue. Unfortunately I cannot execute the test case that detected the bug in the first place, because several spring-security-oauth2-dependencies are missing in the Snapshot version. Still, I am confident that this is our bug.

[rstoyanchev]

I think the current snapshot is 7.0.4-SNAPSHOT.

Closing on this side as the fix will come from Spring Security spring-projects/spring-security#18798.