1

I have enabled Spring Security headers.

My code is like this:

<security:headers disabled="false">
       <security:content-security-policy policy-directives="script-src  'self' 'unsafe-inline' 'unsafe-eval'" />
       <security:cache-control disabled="true"/>
</security:headers>

By default X-FRAME-OPTIONS is DENY. But some requests I should enable X-FRAME-OPTIONS as SAMEORIGIN. How to do?

dur
  • 15,689
  • 25
  • 79
  • 125
prameela 0807
  • 61
  • 2
  • 5
  • Possible duplicate of https://stackoverflow.com/questions/28647136/how-to-disable-x-frame-options-response-header-in-spring-security/66580815#66580815 – Zdeněk Dušátko Mar 11 '21 at 10:47

1 Answers1

0

You can use a DelegatingRequestMatcherHeaderWriter, see Spring Security Reference:

20.2.3 DelegatingRequestMatcherHeaderWriter

At times you may want to only write a header for certain requests. For example, perhaps you want to only protect your log in page from being framed. You could use the DelegatingRequestMatcherHeaderWriter to do so. When using the XML namespace configuration, this can be done with the following:

<http>
  <!-- ... -->

  <headers>
      <frame-options disabled="true"/>
      <header ref="headerWriter"/>
  </headers>
</http>

<beans:bean id="headerWriter"
class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter">
  <beans:constructor-arg>
      <bean class="org.springframework.security.web.util.matcher.AntPathRequestMatcher"
        c:pattern="/login"/>
  </beans:constructor-arg>
  <beans:constructor-arg>
      <beans:bean
        class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter"/>
  </beans:constructor-arg>
</beans:bean>

To use DENYand SAMEORIGIN for different URLs you have to add two header elements with two different DelegatingRequestMatcherHeaderWriter.

dur
  • 15,689
  • 25
  • 79
  • 125