How to disable 'X-Frame-Options' response header in Spring Security?
If you're using Java configs instead of XML configs, put this in your WebSecurityConfigurerAdapter.configure(HttpSecurity http)
method:
http.headers().frameOptions().disable();
By default X-Frame-Options
is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config
<http> <headers> <frame-options policy="SAMEORIGIN"/> </headers></http>
Here are available options for policy
- DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
- ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.
For more information take a look here.
And here to check how you can configure the headers using either XML or Java configs.
Note, that you might need also to specify appropriate strategy
, based on needs.
Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN
. If you are using the Java Configs (Spring Boot
) and would like to allow the X-Frame-Options: SAMEORIGIN
, then you would need to use the following.
For older Spring Security versions:
http .headers() .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))
For newer versions like Spring Security 4.0.2:
http .headers() .frameOptions() .sameOrigin();