How to disable 'X-Frame-Options' response header in Spring Security?

Question

I have CKeditor on my jsp and whenever I upload something, the following error pops out:

 Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.

I have tried removing Spring Security and everything works like a charm. How can I disable this in spring security xml file? What should I write between <http> tags

Answer 1

By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config

<http>    
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

Here are available options for policy

• DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
• ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

For more information take a look here .

And here to check how you can configure the headers using either XML or Java configs.

Note, that you might need also to specify appropriate strategy , based on needs.

Answer 2

如果您使用 Java 配置而不是 XML 配置，请将其放入您的WebSecurityConfigurerAdapter.configure(HttpSecurity http)方法中：

http.headers().frameOptions().disable();

Answer 3

Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN . If you are using the Java Configs ( Spring Boot ) and would like to allow the X-Frame-Options: SAMEORIGIN , then you would need to use the following.

---

For older Spring Security versions:

http
   .headers()
       .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

---

For newer versions like Spring Security 4.0.2 :

http
   .headers()
      .frameOptions()
         .sameOrigin();

Answer 4

If using XML configuration you can use

<beans xmlns="http://www.springframework.org/schema/beans" 
       xmlns:security="http://www.springframework.org/schema/security"> 
<security:http>
    <security:headers>
         <security:frame-options disabled="true"></security:frame-options>
    </security:headers>
</security:http>
</beans>

Answer 5

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
   WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().disable()
      ...;
  }
}

Answer 6

If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.* properties. In particular, if you want to disable the X-Frame-Options default header, just add the following to your application.properties :

security.headers.frame=false

There is also security.headers.cache , security.headers.content-type , security.headers.hsts and security.headers.xss properties that you can use. For more information, take a look at SecurityProperties .

Answer 7

You should configure multiple HttpSecurity instances.

Here is my code where only /public/ ** requests are without X-Frame-Options header.

@Configuration
public class SecurityConfig {

/**
 * Public part - Embeddable Web Plugin
 */

@Configuration
@Order(1)
public static class EmbeddableWebPluginSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        // Disable X-Frame-Option Header
        http.antMatcher("/public/**").headers().frameOptions().disable();
    }
}

/**
 * Private part - Web App Paths
 */

@Configuration
@EnableOAuth2Sso
public static class SSOWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()
                .antMatcher("/**")
                .authorizeRequests()
                .antMatchers("/public/**", "/", "/login**", "/webjars/**", "/error**", "/static/**", "/robots", "/robot", "/robot.txt", "/robots.txt")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/bye");
    }

    /**
     * Public API endpoints
     */

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/api/**");
    }
  }
}

Answer 8

.csrf().disable() its to dangerous.

test:

.headers().frameOptions().sameOrigin()