How to disable 'X-Frame-Options' response header in Spring Security?

Question

I have CKeditor on my JSP and whenever I upload something, the following error pops out:

 Refused to display 'http://localhost:8080/xxx/xxx/upload-image?CKEditor=text&CKEditorFuncNum=1&langCode=ru' in a frame because it set 'X-Frame-Options' to 'DENY'.

I have tried removing Spring Security and everything works like a charm.

How can I disable this in Spring Security XML file?
What should I write between <http> tags?

None of the answers below yet address whether it's possible to apply SAMEORIGIN or ALLOW at the controller method level - anyone know? — Black, Oct 12 '18 at 00:14

score 137 · Answer 1 · edited Aug 28 '19 at 19:25

137

If you're using Java configs instead of XML configs, put this in your WebSecurityConfigurerAdapter.configure(HttpSecurity http) method:

http.headers().frameOptions().disable();

edited Aug 28 '19 at 19:25

Madbreaks

19,094
7
58
72

answered Apr 10 '15 at 19:53

fivedogit

8,374
7
34
43

51

Using disable() is an option but if it's on the same server, use `http.headers().frameOptions().sameOrigin();` – Ian Newland May 31 '16 at 20:41
what if i mix :-) – Marco Schoolenberg May 20 '21 at 20:40

score 126 · Accepted Answer · edited Mar 10 '16 at 09:57

126

By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config

<http>    
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

Here are available options for policy

DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

For more information take a look here.

And here to check how you can configure the headers using either XML or Java configs.

Note, that you might need also to specify appropriate strategy, based on needs.

edited Mar 10 '16 at 09:57

jakber

3,549
20
20

answered Feb 21 '15 at 17:57

vtor

8,989
7
51
67

What is the namespace for this `http` and `headers` tags? – Pasupathi Rajamanickam Sep 22 '15 at 11:48
5

Is it possible to apply this as the controller method level? – mad_fox Mar 16 '17 at 20:43
6

If you need to configure it within WebSecurityConfigurerAdapter's configure method, write the following code: `http.headers().frameOptions().sameOrigin();` – joninx May 24 '17 at 10:00
@vtor I use spring 3.1 and this is not supported, any workaround you might suggest? – Spring Aug 22 '17 at 11:23
@Spring https://docs.spring.io/spring-security/site/docs/current/reference/html/headers.html#headers-frame-options it is supported. Could you please share what you have tried and didn't work? – vtor Sep 21 '17 at 16:29
When I have applied xrfameoptions in spring security XML, it is set on all response headers except for login page. I wonder what went wrong?! – arunken Oct 05 '21 at 09:46

kamwo · Answer 3 · 2016-09-23T07:44:45.213

73

Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN. If you are using the Java Configs (Spring Boot) and would like to allow the X-Frame-Options: SAMEORIGIN, then you would need to use the following.

For older Spring Security versions:

http
   .headers()
       .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

For newer versions like Spring Security 4.0.2:

http
   .headers()
      .frameOptions()
         .sameOrigin();

edited Sep 23 '16 at 07:44

answered Aug 04 '15 at 14:02

kamwo

1,980
1
23
32

How to configure this in Spring 3.2.12? – Pasupathi Rajamanickam Sep 22 '15 at 12:19
1

Migrating from 3.X to 4.X and ran into this as it was just appending based on the first example. thx. – steve Sep 22 '16 at 21:14
2

Thanks. http.headers().frameOptions().sameorigin(); worked for me. – Muhammad Hamed K Aug 11 '21 at 08:32

Matthew Kirkley · Answer 4 · 2017-03-03T14:30:01.280

22

If using XML configuration you can use

<beans xmlns="http://www.springframework.org/schema/beans" 
       xmlns:security="http://www.springframework.org/schema/security"> 
<security:http>
    <security:headers>
         <security:frame-options disabled="true"></security:frame-options>
    </security:headers>
</security:http>
</beans>

edited Mar 03 '17 at 14:30

answered Apr 14 '16 at 17:15

Matthew Kirkley

4,138
5
31
33

score 14 · Answer 5 · answered Sep 30 '16 at 10:32

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
   WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().disable()
      ...;
  }
}

score 9 · Answer 6 · answered Jul 01 '16 at 18:56

If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.* properties. In particular, if you want to disable the X-Frame-Options default header, just add the following to your application.properties:

security.headers.frame=false

There is also security.headers.cache, security.headers.content-type, security.headers.hsts and security.headers.xss properties that you can use. For more information, take a look at SecurityProperties.

In Spring Boot 2.x this method is deprecated. "The security auto-configuration is no longer customizable. Provide your own WebSecurityConfigurer bean instead." — mrkernelpanic, Jun 15 '18 at 10:29

score 2 · Answer 7 · answered Mar 11 '21 at 10:36

You should configure multiple HttpSecurity instances.

Here is my code where only /public/** requests are without X-Frame-Options header.

@Configuration
public class SecurityConfig {

/**
 * Public part - Embeddable Web Plugin
 */

@Configuration
@Order(1)
public static class EmbeddableWebPluginSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) throws Exception {
        // Disable X-Frame-Option Header
        http.antMatcher("/public/**").headers().frameOptions().disable();
    }
}

/**
 * Private part - Web App Paths
 */

@Configuration
@EnableOAuth2Sso
public static class SSOWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()
                .antMatcher("/**")
                .authorizeRequests()
                .antMatchers("/public/**", "/", "/login**", "/webjars/**", "/error**", "/static/**", "/robots", "/robot", "/robot.txt", "/robots.txt")
                .permitAll()
                .anyRequest()
                .authenticated()
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/bye");
    }

    /**
     * Public API endpoints
     */

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/api/**");
    }
  }
}

how do you prevent overriding existing rules when calling `antMatcher(String)`? — Joaquín L. Robles, Sep 20 '22 at 14:14

score 0 · Answer 8 · edited Oct 07 '22 at 15:05

0

.csrf().disable() its to dangerous.

test:

.headers().frameOptions().sameOrigin()

edited Oct 07 '22 at 15:05

Syscall

19,327
10
37
52

answered Oct 07 '22 at 14:41

Landonx

1

How to disable 'X-Frame-Options' response header in Spring Security?

8 Answers8

Linked