HttpHeaders no longer a MultiValueMap

Closes gh-17060

config/src/test/java/org/springframework/security/config/web/server/CorsSpecTests.java

@@ -18,8 +18,6 @@ package org.springframework.security.config.web.server;
 
 import java.util.Arrays;
 import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
 import java.util.Set;
 
 import org.junit.jupiter.api.BeforeEach;
@@ -114,12 +112,13 @@ public class CorsSpecTests {
 				.exchange()
 				.returnResult(String.class);
 		// @formatter:on
-		Map<String, List<String>> responseHeaders = response.getResponseHeaders();
+		HttpHeaders responseHeaders = response.getResponseHeaders();
 		if (!this.expectedHeaders.isEmpty()) {
-			assertThat(responseHeaders).describedAs(response.toString()).containsAllEntriesOf(this.expectedHeaders);
+			this.expectedHeaders.forEach(
+					(headerName, headerValues) -> assertThat(responseHeaders.get(headerName)).isEqualTo(headerValues));
 		}
 		if (!this.headerNamesNotPresent.isEmpty()) {
-			assertThat(responseHeaders.keySet()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
+			assertThat(responseHeaders.headerNames()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
 		}
 	}
 

config/src/test/java/org/springframework/security/config/web/server/HeaderSpecTests.java

@@ -18,8 +18,6 @@ package org.springframework.security.config.web.server;
 
 import java.time.Duration;
 import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
 import java.util.Set;
 
 import org.junit.jupiter.api.BeforeEach;
@@ -80,14 +78,14 @@ public class HeaderSpecTests {
 
 	@Test
 	public void headersWhenDisableThenNoSecurityHeaders() {
-		new HashSet<>(this.expectedHeaders.keySet()).forEach(this::expectHeaderNamesNotPresent);
+		new HashSet<>(this.expectedHeaders.headerNames()).forEach(this::expectHeaderNamesNotPresent);
 		this.http.headers().disable();
 		assertHeaders();
 	}
 
 	@Test
 	public void headersWhenDisableInLambdaThenNoSecurityHeaders() {
-		new HashSet<>(this.expectedHeaders.keySet()).forEach(this::expectHeaderNamesNotPresent);
+		new HashSet<>(this.expectedHeaders.headerNames()).forEach(this::expectHeaderNamesNotPresent);
 		this.http.headers((headers) -> headers.disable());
 		assertHeaders();
 	}
@@ -515,12 +513,13 @@ public class HeaderSpecTests {
 			.uri("https://example.com/")
 			.exchange()
 			.returnResult(String.class);
-		Map<String, List<String>> responseHeaders = response.getResponseHeaders();
+		HttpHeaders responseHeaders = response.getResponseHeaders();
 		if (!this.expectedHeaders.isEmpty()) {
-			assertThat(responseHeaders).describedAs(response.toString()).containsAllEntriesOf(this.expectedHeaders);
+			this.expectedHeaders.forEach(
+					(headerName, headerValues) -> assertThat(responseHeaders.get(headerName)).isEqualTo(headerValues));
 		}
 		if (!this.headerNamesNotPresent.isEmpty()) {
-			assertThat(responseHeaders.keySet()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
+			assertThat(responseHeaders.headerNames()).doesNotContainAnyElementsOf(this.headerNamesNotPresent);
 		}
 	}
 

config/src/test/java/org/springframework/security/config/web/server/OidcLogoutSpecTests.java

@@ -945,7 +945,7 @@ public class OidcLogoutSpecTests {
 		private MockResponse toMockResponse(FluxExchangeResult<String> result) {
 			MockResponse response = new MockResponse();
 			response.setResponseCode(result.getStatus().value());
-			for (String name : result.getResponseHeaders().keySet()) {
+			for (String name : result.getResponseHeaders().headerNames()) {
 				response.addHeader(name, result.getResponseHeaders().getFirst(name));
 			}
 			String body = result.getResponseBody().blockFirst();

config/src/test/kotlin/org/springframework/security/config/web/server/ServerHttpsRedirectDslTests.kt

@@ -127,7 +127,7 @@ class ServerHttpsRedirectDslTests {
             return http {
                 redirectToHttps {
                     httpsRedirectWhen {
-                        it.request.headers.containsKey("X-Requires-Https")
+                        it.request.headers.headerNames().contains("X-Requires-Https")
                     }
                 }
             }
@@ -165,7 +165,7 @@ class ServerHttpsRedirectDslTests {
                 redirectToHttps {
                     httpsRedirectWhen(PathPatternParserServerWebExchangeMatcher("/secure"))
                     httpsRedirectWhen {
-                        it.request.headers.containsKey("X-Requires-Https")
+                        it.request.headers.headerNames().contains("X-Requires-Https")
                     }
                 }
             }

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/server/BearerTokenServerAuthenticationEntryPointTests.java

@@ -91,7 +91,7 @@ public class BearerTokenServerAuthenticationEntryPointTests {
 	@Test
 	public void commenceWhenNoSubscriberThenNothingHappens() {
 		this.entryPoint.commence(this.exchange, new BadCredentialsException(""));
-		assertThat(getResponse().getHeaders()).isEmpty();
+		assertThat(getResponse().getHeaders().headerNames()).isEmpty();
 		assertThat(getResponse().getStatusCode()).isNull();
 	}
 

web/src/main/java/org/springframework/security/web/FilterInvocation.java

@@ -267,7 +267,7 @@ public class FilterInvocation {
 
 		@Override
 		public Enumeration<String> getHeaderNames() {
-			return Collections.enumeration(this.headers.keySet());
+			return Collections.enumeration(this.headers.headerNames());
 		}
 
 		@Override

web/src/main/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewall.java

@@ -135,8 +135,8 @@ public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewal
 	private static final Pattern ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN = Pattern
 		.compile("[\\p{IsAssigned}&&[^\\p{IsControl}]]*");
 
-	private static final Predicate<String> ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = (
-			s) -> ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(s).matches();
+	private static final Predicate<String> ASSIGNED_AND_NOT_ISO_CONTROL_PREDICATE = (s) -> s == null
+			|| ASSIGNED_AND_NOT_ISO_CONTROL_PATTERN.matcher(s).matches();
 
 	private static final Pattern HEADER_VALUE_PATTERN = Pattern.compile("[\\p{IsAssigned}&&[[^\\p{IsControl}]||\\t]]*");
 
@@ -198,13 +198,11 @@ public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewal
 			exchange.getResponse().beforeCommit(() -> Mono.fromRunnable(() -> {
 				ServerHttpResponse response = exchange.getResponse();
 				HttpHeaders headers = response.getHeaders();
-				for (Map.Entry<String, List<String>> header : headers.entrySet()) {
-					String headerName = header.getKey();
-					List<String> headerValues = header.getValue();
+				headers.forEach((headerName, headerValues) -> {
 					for (String headerValue : headerValues) {
 						validateCrlf(headerName, headerValue);
 					}
-				}
+				});
 			}));
 			return new StrictFirewallServerWebExchange(exchange);
 		});
@@ -767,23 +765,21 @@ public class StrictServerWebExchangeFirewall implements ServerWebExchangeFirewal
 				}
 
 				@Override
-				public List<String> get(Object key) {
-					if (key instanceof String headerName) {
-						validateAllowedHeaderName(headerName);
-					}
-					List<String> headerValues = super.get(key);
+				public List<String> get(String headerName) {
+					validateAllowedHeaderName(headerName);
+					List<String> headerValues = super.get(headerName);
 					if (headerValues == null) {
 						return headerValues;
 					}
 					for (String headerValue : headerValues) {
-						validateAllowedHeaderValue(key, headerValue);
+						validateAllowedHeaderValue(headerName, headerValue);
 					}
 					return headerValues;
 				}
 
 				@Override
-				public Set<String> keySet() {
-					Set<String> headerNames = super.keySet();
+				public Set<String> headerNames() {
+					Set<String> headerNames = super.headerNames();
 					for (String headerName : headerNames) {
 						validateAllowedHeaderName(headerName);
 					}

web/src/main/java/org/springframework/security/web/server/header/StaticServerHttpHeadersWriter.java

@@ -43,8 +43,8 @@ public class StaticServerHttpHeadersWriter implements ServerHttpHeadersWriter {
 		// Note: We need to ensure that the following algorithm compares headers
 		// case insensitively, which should be true of headers.containsKey().
 		boolean containsNoHeadersToAdd = true;
-		for (String headerName : this.headersToAdd.keySet()) {
-			if (headers.containsKey(headerName)) {
+		for (String headerName : this.headersToAdd.headerNames()) {
+			if (headers.containsHeader(headerName)) {
 				containsNoHeadersToAdd = false;
 				break;
 			}

web/src/test/java/org/springframework/security/web/server/firewall/StrictServerWebExchangeFirewallTests.java

@@ -444,7 +444,7 @@ class StrictServerWebExchangeFirewallTests {
 		ServerWebExchange exchange = getFirewalledExchange();
 		HttpHeaders headers = exchange.getRequest().getHeaders();
 		assertThatExceptionOfType(ServerExchangeRejectedException.class)
-			.isThrownBy(() -> headers.keySet().iterator().next());
+			.isThrownBy(() -> headers.headerNames().iterator().next());
 	}
 
 	@Test

web/src/test/java/org/springframework/security/web/server/header/CacheControlServerHttpHeadersWriterTests.java

@@ -42,7 +42,7 @@ public class CacheControlServerHttpHeadersWriterTests {
 	@Test
 	public void writeHeadersWhenCacheHeadersThenWritesAllCacheControl() {
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(3);
+		assertThat(this.headers.headerNames()).hasSize(3);
 		assertThat(this.headers.get(HttpHeaders.CACHE_CONTROL))
 			.containsOnly(CacheControlServerHttpHeadersWriter.CACHE_CONTRTOL_VALUE);
 		assertThat(this.headers.get(HttpHeaders.EXPIRES))
@@ -63,7 +63,7 @@ public class CacheControlServerHttpHeadersWriterTests {
 		String pragma = "1";
 		this.headers.set(HttpHeaders.PRAGMA, pragma);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(HttpHeaders.PRAGMA)).containsOnly(pragma);
 	}
 
@@ -72,7 +72,7 @@ public class CacheControlServerHttpHeadersWriterTests {
 		String expires = "1";
 		this.headers.set(HttpHeaders.EXPIRES, expires);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(HttpHeaders.EXPIRES)).containsOnly(expires);
 	}
 
@@ -81,7 +81,7 @@ public class CacheControlServerHttpHeadersWriterTests {
 	public void writeHeadersWhenNotModifiedThenNoCacheControlHeaders() {
 		this.exchange.getResponse().setStatusCode(HttpStatus.NOT_MODIFIED);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).isEmpty();
+		assertThat(this.headers.headerNames()).isEmpty();
 	}
 
 }

web/src/test/java/org/springframework/security/web/server/header/ContentSecurityPolicyServerHttpHeadersWriterTests.java

@@ -49,7 +49,7 @@ public class ContentSecurityPolicyServerHttpHeadersWriterTests {
 	public void writeHeadersWhenUsingDefaultsThenDoesNotWrite() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -57,7 +57,7 @@ public class ContentSecurityPolicyServerHttpHeadersWriterTests {
 		this.writer.setPolicyDirectives(DEFAULT_POLICY_DIRECTIVES);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY))
 			.containsOnly(DEFAULT_POLICY_DIRECTIVES);
 	}
@@ -68,7 +68,7 @@ public class ContentSecurityPolicyServerHttpHeadersWriterTests {
 		this.writer.setReportOnly(true);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY_REPORT_ONLY))
 			.containsOnly(DEFAULT_POLICY_DIRECTIVES);
 	}
@@ -78,7 +78,7 @@ public class ContentSecurityPolicyServerHttpHeadersWriterTests {
 		this.writer.setReportOnly(true);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -89,7 +89,7 @@ public class ContentSecurityPolicyServerHttpHeadersWriterTests {
 			.set(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(ContentSecurityPolicyServerHttpHeadersWriter.CONTENT_SECURITY_POLICY))
 			.containsOnly(headerValue);
 	}

web/src/test/java/org/springframework/security/web/server/header/ContentTypeOptionsServerHttpHeadersWriterTests.java

@@ -41,7 +41,7 @@ class ContentTypeOptionsServerHttpHeadersWriterTests {
 	@Test
 	void writeHeadersWhenNoHeadersThenWriteHeaders() {
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS))
 			.containsOnly(ContentTypeOptionsServerHttpHeadersWriter.NOSNIFF);
 	}
@@ -51,7 +51,7 @@ class ContentTypeOptionsServerHttpHeadersWriterTests {
 		String headerValue = "value";
 		this.headers.set(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(ContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS))
 			.containsOnly(headerValue);
 	}

web/src/test/java/org/springframework/security/web/server/header/CrossOriginEmbedderPolicyServerHttpHeadersWriterTests.java

@@ -49,7 +49,7 @@ class CrossOriginEmbedderPolicyServerHttpHeadersWriterTests {
 	void writeHeadersWhenNoValuesThenDoesNotWriteHeaders() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -59,7 +59,7 @@ class CrossOriginEmbedderPolicyServerHttpHeadersWriterTests {
 			.add(CrossOriginEmbedderPolicyServerHttpHeadersWriter.EMBEDDER_POLICY, "require-corp");
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(CrossOriginEmbedderPolicyServerHttpHeadersWriter.EMBEDDER_POLICY))
 			.containsOnly("require-corp");
 	}
@@ -69,7 +69,7 @@ class CrossOriginEmbedderPolicyServerHttpHeadersWriterTests {
 		this.writer.setPolicy(CrossOriginEmbedderPolicyServerHttpHeadersWriter.CrossOriginEmbedderPolicy.REQUIRE_CORP);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(CrossOriginEmbedderPolicyServerHttpHeadersWriter.EMBEDDER_POLICY))
 			.containsOnly("require-corp");
 	}

web/src/test/java/org/springframework/security/web/server/header/CrossOriginOpenerPolicyServerHttpHeadersWriterTests.java

@@ -49,7 +49,7 @@ class CrossOriginOpenerPolicyServerHttpHeadersWriterTests {
 	void writeHeadersWhenNoValuesThenDoesNotWriteHeaders() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -59,7 +59,7 @@ class CrossOriginOpenerPolicyServerHttpHeadersWriterTests {
 			.add(CrossOriginOpenerPolicyServerHttpHeadersWriter.OPENER_POLICY, "same-origin");
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(CrossOriginOpenerPolicyServerHttpHeadersWriter.OPENER_POLICY))
 			.containsOnly("same-origin");
 	}
@@ -70,7 +70,7 @@ class CrossOriginOpenerPolicyServerHttpHeadersWriterTests {
 			.setPolicy(CrossOriginOpenerPolicyServerHttpHeadersWriter.CrossOriginOpenerPolicy.SAME_ORIGIN_ALLOW_POPUPS);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(CrossOriginOpenerPolicyServerHttpHeadersWriter.OPENER_POLICY))
 			.containsOnly("same-origin-allow-popups");
 	}

web/src/test/java/org/springframework/security/web/server/header/CrossOriginResourcePolicyServerHttpHeadersWriterTests.java

@@ -49,7 +49,7 @@ class CrossOriginResourcePolicyServerHttpHeadersWriterTests {
 	void writeHeadersWhenNoValuesThenDoesNotWriteHeaders() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -59,7 +59,7 @@ class CrossOriginResourcePolicyServerHttpHeadersWriterTests {
 			.add(CrossOriginResourcePolicyServerHttpHeadersWriter.RESOURCE_POLICY, "same-origin");
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(CrossOriginResourcePolicyServerHttpHeadersWriter.RESOURCE_POLICY))
 			.containsOnly("same-origin");
 	}
@@ -69,7 +69,7 @@ class CrossOriginResourcePolicyServerHttpHeadersWriterTests {
 		this.writer.setPolicy(CrossOriginResourcePolicyServerHttpHeadersWriter.CrossOriginResourcePolicy.SAME_ORIGIN);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(CrossOriginResourcePolicyServerHttpHeadersWriter.RESOURCE_POLICY))
 			.containsOnly("same-origin");
 	}

web/src/test/java/org/springframework/security/web/server/header/FeaturePolicyServerHttpHeadersWriterTests.java

@@ -49,7 +49,7 @@ public class FeaturePolicyServerHttpHeadersWriterTests {
 	public void writeHeadersWhenUsingDefaultsThenDoesNotWrite() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -57,7 +57,7 @@ public class FeaturePolicyServerHttpHeadersWriterTests {
 		this.writer.setPolicyDirectives(DEFAULT_POLICY_DIRECTIVES);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(FeaturePolicyServerHttpHeadersWriter.FEATURE_POLICY))
 			.containsOnly(DEFAULT_POLICY_DIRECTIVES);
 	}
@@ -69,7 +69,7 @@ public class FeaturePolicyServerHttpHeadersWriterTests {
 		this.exchange.getResponse().getHeaders().set(FeaturePolicyServerHttpHeadersWriter.FEATURE_POLICY, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(FeaturePolicyServerHttpHeadersWriter.FEATURE_POLICY)).containsOnly(headerValue);
 	}
 

web/src/test/java/org/springframework/security/web/server/header/PermissionsPolicyServerHttpHeadersWriterTests.java

@@ -49,7 +49,7 @@ public class PermissionsPolicyServerHttpHeadersWriterTests {
 	public void writeHeadersWhenUsingDefaultsThenDoesNotWrite() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -57,7 +57,7 @@ public class PermissionsPolicyServerHttpHeadersWriterTests {
 		this.writer.setPolicy(DEFAULT_POLICY_DIRECTIVES);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(PermissionsPolicyServerHttpHeadersWriter.PERMISSIONS_POLICY))
 			.containsOnly(DEFAULT_POLICY_DIRECTIVES);
 	}
@@ -71,7 +71,7 @@ public class PermissionsPolicyServerHttpHeadersWriterTests {
 			.set(PermissionsPolicyServerHttpHeadersWriter.PERMISSIONS_POLICY, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(PermissionsPolicyServerHttpHeadersWriter.PERMISSIONS_POLICY)).containsOnly(headerValue);
 	}
 

web/src/test/java/org/springframework/security/web/server/header/ReferrerPolicyServerHttpHeadersWriterTests.java

@@ -48,7 +48,7 @@ public class ReferrerPolicyServerHttpHeadersWriterTests {
 	public void writeHeadersWhenUsingDefaultsThenDoesNotWrite() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY))
 			.containsOnly(ReferrerPolicy.NO_REFERRER.getPolicy());
 	}
@@ -58,7 +58,7 @@ public class ReferrerPolicyServerHttpHeadersWriterTests {
 		this.writer.setPolicy(ReferrerPolicy.SAME_ORIGIN);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY))
 			.containsOnly(ReferrerPolicy.SAME_ORIGIN.getPolicy());
 	}
@@ -71,7 +71,7 @@ public class ReferrerPolicyServerHttpHeadersWriterTests {
 			.set(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(ReferrerPolicyServerHttpHeadersWriter.REFERRER_POLICY)).containsOnly(headerValue);
 	}
 

web/src/test/java/org/springframework/security/web/server/header/StaticServerHttpHeadersWriterTests.java

@@ -102,7 +102,7 @@ public class StaticServerHttpHeadersWriterTests {
 			.header(HttpHeaders.EXPIRES, CacheControlServerHttpHeadersWriter.EXPIRES_VALUE)
 			.build();
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(HttpHeaders.CACHE_CONTROL)).containsOnly(headerValue);
 	}
 

web/src/test/java/org/springframework/security/web/server/header/StrictTransportSecurityServerHttpHeadersWriterTests.java

@@ -17,7 +17,6 @@
 package org.springframework.security.web.server.header;
 
 import java.time.Duration;
-import java.util.Arrays;
 
 import org.junit.jupiter.api.Test;
 
@@ -43,9 +42,10 @@ public class StrictTransportSecurityServerHttpHeadersWriterTests {
 		this.exchange = exchange(MockServerHttpRequest.get("https://example.com/"));
 		this.hsts.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
-		assertThat(headers).containsEntry(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
-				Arrays.asList("max-age=31536000 ; includeSubDomains"));
+		assertThat(headers.headerNames()).hasSize(1);
+		assertThat(headers.containsHeaderValue(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
+				"max-age=31536000 ; includeSubDomains"))
+			.isTrue();
 	}
 
 	@Test
@@ -55,9 +55,9 @@ public class StrictTransportSecurityServerHttpHeadersWriterTests {
 		this.exchange = exchange(MockServerHttpRequest.get("https://example.com/"));
 		this.hsts.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
-		assertThat(headers).containsEntry(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
-				Arrays.asList("max-age=" + maxAge.getSeconds() + " ; includeSubDomains"));
+		assertThat(headers.headerNames()).hasSize(1);
+		assertThat(headers.containsHeaderValue(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
+				"max-age=" + maxAge.getSeconds() + " ; includeSubDomains"));
 	}
 
 	@Test
@@ -66,9 +66,9 @@ public class StrictTransportSecurityServerHttpHeadersWriterTests {
 		this.exchange = exchange(MockServerHttpRequest.get("https://example.com/"));
 		this.hsts.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
-		assertThat(headers).containsEntry(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
-				Arrays.asList("max-age=31536000"));
+		assertThat(headers.headerNames()).hasSize(1);
+		assertThat(headers.containsHeaderValue(StrictTransportSecurityServerHttpHeadersWriter.STRICT_TRANSPORT_SECURITY,
+				"max-age=31536000"));
 	}
 
 	@Test
@@ -76,7 +76,7 @@ public class StrictTransportSecurityServerHttpHeadersWriterTests {
 		this.exchange = exchange(MockServerHttpRequest.get("/"));
 		this.hsts.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	@Test
@@ -84,7 +84,7 @@ public class StrictTransportSecurityServerHttpHeadersWriterTests {
 		this.exchange = exchange(MockServerHttpRequest.get("http://localhost/"));
 		this.hsts.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).isEmpty();
+		assertThat(headers.headerNames()).isEmpty();
 	}
 
 	private static MockServerWebExchange exchange(MockServerHttpRequest.BaseBuilder<?> request) {

web/src/test/java/org/springframework/security/web/server/header/XContentTypeOptionsServerHttpHeadersWriterTests.java

@@ -42,7 +42,7 @@ public class XContentTypeOptionsServerHttpHeadersWriterTests {
 	@Test
 	public void writeHeadersWhenNoHeadersThenWriteHeadersForXContentTypeOptionsServerHttpHeadersWriter() {
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(XContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS))
 			.containsOnly(XContentTypeOptionsServerHttpHeadersWriter.NOSNIFF);
 	}
@@ -52,7 +52,7 @@ public class XContentTypeOptionsServerHttpHeadersWriterTests {
 		String headerValue = "value";
 		this.headers.set(XContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(XContentTypeOptionsServerHttpHeadersWriter.X_CONTENT_OPTIONS))
 			.containsOnly(headerValue);
 	}

web/src/test/java/org/springframework/security/web/server/header/XFrameOptionsServerHttpHeadersWriterTests.java

@@ -45,7 +45,7 @@ public class XFrameOptionsServerHttpHeadersWriterTests {
 	public void writeHeadersWhenUsingDefaultsThenWritesDeny() {
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("DENY");
 	}
 
@@ -54,7 +54,7 @@ public class XFrameOptionsServerHttpHeadersWriterTests {
 		this.writer.setMode(XFrameOptionsServerHttpHeadersWriter.Mode.DENY);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("DENY");
 	}
 
@@ -63,7 +63,7 @@ public class XFrameOptionsServerHttpHeadersWriterTests {
 		this.writer.setMode(XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly("SAMEORIGIN");
 	}
 
@@ -73,7 +73,7 @@ public class XFrameOptionsServerHttpHeadersWriterTests {
 		this.exchange.getResponse().getHeaders().set(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
 		HttpHeaders headers = this.exchange.getResponse().getHeaders();
-		assertThat(headers).hasSize(1);
+		assertThat(headers.headerNames()).hasSize(1);
 		assertThat(headers.get(XFrameOptionsServerHttpHeadersWriter.X_FRAME_OPTIONS)).containsOnly(headerValue);
 	}
 

web/src/test/java/org/springframework/security/web/server/header/XXssProtectionServerHttpHeadersWriterTests.java

@@ -47,7 +47,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 	@Test
 	public void writeHeadersWhenNoHeadersThenWriteHeaders() {
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("0");
 	}
 
@@ -56,7 +56,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 		String headerValue = "value";
 		this.headers.set(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION, headerValue);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly(headerValue);
 	}
 
@@ -64,7 +64,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 	void writeHeadersWhenDisabledThenWriteHeaders() {
 		this.writer.setHeaderValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.DISABLED);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("0");
 	}
 
@@ -72,7 +72,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 	void writeHeadersWhenEnabledThenWriteHeaders() {
 		this.writer.setHeaderValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.ENABLED);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION)).containsOnly("1");
 	}
 
@@ -80,7 +80,7 @@ public class XXssProtectionServerHttpHeadersWriterTests {
 	void writeHeadersWhenEnabledModeBlockThenWriteHeaders() {
 		this.writer.setHeaderValue(XXssProtectionServerHttpHeadersWriter.HeaderValue.ENABLED_MODE_BLOCK);
 		this.writer.writeHttpHeaders(this.exchange);
-		assertThat(this.headers).hasSize(1);
+		assertThat(this.headers.headerNames()).hasSize(1);
 		assertThat(this.headers.get(XXssProtectionServerHttpHeadersWriter.X_XSS_PROTECTION))
 			.containsOnly("1; mode=block");
 	}