Reputation: 558
how do I set X-Frame-Options response header to allow-from value(s) using spring java config?
How do I set X-Frame-Options response header with a value of allow-from using spring java config?
http.headers().disable()
.addHeaderWriter(new XFrameOptionsHeaderWriter(
new WhiteListedAllowFromStrategy(
Arrays.asList("https://example1.com", "https://example2.com"))));
In Http Response headers I get:
X-Frame-Options:"ALLOW-FROM DENY".
Why aren't my origins listed in the header value?
Upvotes: 11
Views: 31148
Answers (5)
Reputation: 21
You can use X-Content-Security-Policy and Content-Security-Policy instead of X-Frame-Options which give much more flexibility to allow iframe access to multiple domains with wildcard.
Here is an example -
http.csrf().disable()
.headers().addHeaderWriter(new StaticHeadersWriter(
"X-Content-Security-Policy",
"frame-ancestors self *.domain1.com *.domain2.com"))
.and()
.headers().addHeaderWriter(new StaticHeadersWriter(
"Content-Security-Policy",
"frame-ancestors self *.domain1.com *.domain2.com"))
X-Frame-Options value will be discarded.
Upvotes: 2
Reputation: 21
You can allow multiple URLs as follows, but I don't know whether this is the proper way or not, still, it works properly.
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity.csrf().disable().authorizeRequests().anyRequest().permitAll()
.and()
.headers().defaultsDisabled()
.and()
.cors()
.and()
.headers()
.cacheControl()
.and()
.contentTypeOptions()
.and()
.httpStrictTransportSecurity().disable()
.and()
.headers()
.frameOptions().disable()
.addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS",
"ALLOW-FROM example1.com",
"ALLOW-FROM example2.com",
"ALLOW-FROM example3.com",
"ALLOW-FROM example4.com",
"ALLOW-FROM example5.com"));
}
Upvotes: 0
Reputation: 16760
Here is the code snippet for security config that worked for me in Spring Boot 2.3:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers()
.frameOptions()
.disable()
.addHeaderWriter(new XFrameOptionsHeaderWriter(new StaticAllowFromStrategy(URI.create("example.com"))))
...
Upvotes: 0
Reputation: 558
I ended up adding my headers statically like below:
http
.headers().frameOptions().disable()
.addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM example1.com"));
Upvotes: 7
Reputation: 1
I was looking for the same and didn't find an answer. Doesn't matter how I tried to configure it, header was always incorrect.
My workaround for that it to use delegating header writer from the Spring framework doc
Thanks to that I built a logic to always set SAMEORIGIN excluding some whitelist:
new DelegatingRequestMatcherHeaderWriter(
new NegatedRequestMatcher(
new OrRequestMatcher(
whiteLists
)
),
new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN);
Logic behind that: if any from white list matches then don't add header, otherwise add header with SAMEORIGIN value.
I think it's worth to consider because AFAIK not all browsers support ALLOW-FROM.
Upvotes: 0
Related Questions
- How to disable 'X-Frame-Options' response header in Spring Security?
- enable X-Frame-Options header in spring-boot application (without spring security)
- How would set a response header X-Frame-Options?
- Not able to set X-Frame option in servlet response from Spring controller
- Disable X-FrameOptions response header for a URL Spring Security JAVA config
- X-Frame-Options Header Not Set in Apache Tomcat 8.5.9
- How can we set X-Frame-Options Response header in WebLogic and WebSphere?
- How to add X-Frame-Options to just some responses in Spring Security 3.2
- How to add X-FRAME-OPTIONS to some pages in Spring Security headers (Spring version 4.2.0)?
- How do I set X-Frame-Options as response header in angularJS?