Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how do I set X-Frame-Options response header to allow-from value(s) using spring java config?

How do I set X-Frame-Options response header with a value of allow-from using spring java config?

http.headers().disable()
    .addHeaderWriter(new XFrameOptionsHeaderWriter(
      new WhiteListedAllowFromStrategy(
        Arrays.asList("https://example1.com", "https://example2.com"))));

In Http Response headers I get:

X-Frame-Options:"ALLOW-FROM DENY".

Why aren't my origins listed in the header value?

like image 626
Kamal Joshi Avatar asked Oct 01 '15 21:10

Kamal Joshi


People also ask

How do you include X-frame-Options header in the HTTP response?

Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.

How do I set X-frame-options to allow all?

Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that. Note that the successor to X-Frame-Options — CSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all. ALLOWALL is the default value.

What is HTTP headers () frameOptions ()?

http .headers(headers -> headers .frameOptions(frameOptions -> frameOptions .sameOrigin() ) ) This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.


1 Answers

I ended up adding my headers statically like below:

http
    .headers().frameOptions().disable()
    .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM example1.com"));
like image 63
Kamal Joshi Avatar answered Sep 16 '22 12:09

Kamal Joshi