stackoom
  简体   繁体   中英

X-Frame-Options: DENY works only on backend port endpoints

 原文  2022-11-23 14:37:38       java/ reactjs/ spring-security/ x-frame-options/ clickjacking

Question

So since i'm working on spring security i've setted the headers.frameOptions to DENY, when i try this by putting my backend endpoint in an iframe which is localhost:8080 here , everything is working perfectly fine, the thing is, when i put the frontend localhost:3000 in iframe, nothing happens and the application is displayed in the iframe. i'm thinking that the headers configuration i'm doing are applying only on APIs and not at the start of the application

at the start of the application as you can see there is no configuration: X-Frame-Options: DENY Here after i send an API

here is the function

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.headers()
            .httpStrictTransportSecurity()
            .maxAgeInSeconds(31536000)
            .includeSubDomains(true);

    http.headers()
            .contentTypeOptions();
    http.cors().and()
            .headers()
            .xssProtection()
            .and()
            .contentSecurityPolicy("script-src 'self'")
            .and()
            .httpStrictTransportSecurity().includeSubDomains(true).maxAgeInSeconds(31536000)
            .and()
            .contentSecurityPolicy("frame-ancestors 'none'")
            .and()
            .frameOptions()
            .deny()
            .and()
            .csrf()
            .disable()
            .formLogin().defaultSuccessUrl("/swagger-ui.html", true).and()
            .authorizeRequests().antMatchers(AUTH_LIST).authenticated()
            .antMatchers("/actuator/**").access("hasAnyRole('ADMIN') and hasIpAddress('127.0.0.1')")
            .anyRequest().permitAll()
            .and().httpBasic();
}

1 answers

solution1
 0 ACCPTED  2023-01-18 14:23:35

I finally resolved this issue by configuring the frontend web.xml file by following this if u're using nginx as a server you can add:

Header always set X-Frame-Options "SAMEORIGIN"

if you're using any other server u can check mdn ,

to conclude, if you're working on a full stack application you have to configure the server configuration file otherwise spring security won't prevent you from clickjacking.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Boot Actuator adding X-Frame-Options = DENY to all endpoints (particularly error endpoint) Devtool refuses to display “My uri” in a frame because it set 'X-Frame-Options' to 'DENY' Refused to display ' in a frame because it set 'X-Frame-Options' to 'DENY'. at loading jsp by jquery X-Frame-Options are not working correct for me Payara Micro: turn off X-Frame-Options header How to disable 'X-Frame-Options' response header in Spring Security? X-Frame-Options Header Not Set in Apache Tomcat 8.5.9 ClickJacking Filter to add X-FRAME-OPTIONS in response Android(4.4+) WebView ignore x-frame-options Error message : load denied X-Frame-Options
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM