The class com.coremedia.blueprint.cae.filter.SecurityHeadersFilter has been removed, the security headers for the CAE are now configured in com.coremedia.cae.security.CaeWebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>) . It configures the same security headers that were formally set by the com.coremedia.blueprint.cae.filter.SecurityHeadersFilter . To set the same security headers, the default configuration provided by the org.springframework.security.config.annotation.web.configurers.HeadersConfigurer is used, but for the preview CAE, the X-Frame-Options header is (still) disabled.

With this change, the former configuration of the cache control headers hasn't been changed.

To customize the security headers, override the com.coremedia.cae.security.CaeWebSecurityConfigurerAdapter#configure(org.springframework.security.config.annotation.web.configurers.HeadersConfigurer<org.springframework.security.config.annotation.web.builders.HttpSecurity>) method with a custom implementation.

Please refer to Content Application Developer Manual - Spring Security

(CMS-13278)