Menu
How do I set X-Frame-Options response header with a value of allow-from using spring java config?
http.headers().disable()
.addHeaderWriter(new XFrameOptionsHeaderWriter(
new WhiteListedAllowFromStrategy(
Arrays.asList("https://example1.com", "https://example2.com"))));
In Http Response headers I get:
X-Frame-Options:"ALLOW-FROM DENY".
Why aren't my origins listed in the header value?
626
Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.
Allowing all domains is the default. Don't set the X-Frame-Options header at all if you want that. Note that the successor to X-Frame-Options — CSP's frame-ancestors directive — accepts a list of allowed origins so you can easily allow some origins instead of none, one or all. ALLOWALL is the default value.
http .headers(headers -> headers .frameOptions(frameOptions -> frameOptions .sameOrigin() ) ) This tells the browser that the page can only be displayed in a frame on the same origin as the page itself.
I ended up adding my headers statically like below:
http
.headers().frameOptions().disable()
.addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM example1.com"));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With