How to disable 'X-Frame-Options' response header in Spring Security?
By default X-Frame-Options
is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config
<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>
Here are available options for policy
- DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
- ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.
For more information take a look here.
And here to check how you can configure the headers using either XML or Java configs.
Note, that you might need also to specify appropriate strategy
, based on needs.
If you're using Java configs instead of XML configs, put this in your WebSecurityConfigurerAdapter.configure(HttpSecurity http)
method:
http.headers().frameOptions().disable();