Dev G
Reputation: 1407
ClickJacking Filter to add X-FRAME-OPTIONS in response
In order to tackle clickJacking and blocking my site to be opened by iframe I have created a servlet filter in which I am adding below line to add "X-FRAME-OPTIONS" response header. But when I run page and see response headers of that page I never get this header in there. Any Idea why?
public void doFilter(
ServletRequest request, ServletResponse response, FilterChain chain
) throws IOException, ServletException
{
HttpServletResponse res = (HttpServletResponse)response;
chain.doFilter(request, response);
//Specify the mode
res.addHeader("X-FRAME-OPTIONS", "DENY");
}
Upvotes: 8
Views: 20891
Answers (1)
Devon_C_Miller
Reputation: 16518
You need to add the header before calling doFilter. By the time control returns from doFilter the headers and body have already been sent, so your addHeader is ignored.
Upvotes: 16
Related Questions
- X-Frame-Options on Apache
- enable X-Frame-Options header in spring-boot application (without spring security)
- Not able to set X-Frame option in servlet response from Spring controller
- tomcat X-Frame-Options or antiClickJackingEnabled
- X-Frame-Options are not working correct for me
- Respect X-Frame-Options with HTTP redirect
- Adding an HTTP Header to the request in a servlet filter
- How to configure JBOSS 5 to include an X-Frame-options header?
- How to prevent frame injection (clickjacking) in java application?
- Modify the filter chain - Or select servlet to respond to request using filter