How to disable X-Frame-Options response header in Spring Security

Question

I have CKeditor on my jsp and whenever I upload something  the following error pops out    Refused to display  http   localhost 8080 xxx xxx upload-image CKEditor text amp CKEditorFuncNum 1 amp langCode ru  in a frame because it set  X-Frame-Options  to  DENY     I have tried removing Spring Security and everything works like a charm  How can I disable this in spring security xml file  What should I write between  lt http gt  tags

User · Answer

If you re using Spring Boot  the simplest way to disable the Spring Security default headers is to use security headers   properties  In particular  if you want to disable the X-Frame-Options default header  just add the following to your application properties   security headers frame false   There is also security headers cache  security headers content-type  security headers hsts and security headers xss properties that you can use  For more information  take a look at SecurityProperties

User · Answer

Most likely you don t want to deactivate this Header completely  but use SAMEORIGIN  If you are using the Java Configs  Spring Boot  and would like to allow the X-Frame-Options  SAMEORIGIN  then you would need to use the following     For older Spring Security versions   http     headers           addHeaderWriter new XFrameOptionsHeaderWriter XFrameOptionsHeaderWriter XFrameOptionsMode SAMEORIGIN       For newer versions like Spring Security 4 0 2   http     headers          frameOptions             sameOrigin

User · Answer

By default X-Frame-Options is set to denied  to prevent clickjacking attacks  To override this  you can add the following into your spring security config   lt http gt           lt headers gt           lt frame-options policy  SAMEORIGIN   gt       lt  headers gt   lt  http gt    Here are available options for policy   DENY - is a default value  With this the page cannot be displayed in a frame  regardless of the site attempting to do so   SAMEORIGIN - I assume this is what you are looking for  so that the page will be  and can be  displayed in a frame on the same origin as the page itself ALLOW-FROM - Allows you to specify an origin  where the page can be displayed in a frame    For more information take a look here    And here to check how you can configure the headers using either XML or Java configs   Note  that you might need also to specify appropriate strategy  based on needs

User · Answer

If using XML configuration you can use    lt beans xmlns  http   www springframework org schema beans          xmlns security  http   www springframework org schema security  gt    lt security http gt       lt security headers gt            lt security frame-options disabled  true  gt  lt  security frame-options gt       lt  security headers gt   lt  security http gt   lt  beans gt

User · Answer

If you re using Java configs instead of XML configs  put this in your WebSecurityConfigurerAdapter configure HttpSecurity http  method   http headers   frameOptions   disable

User · Answer

If you are using Spring Security s Java configuration  all of the default security headers are added by default  They can be disabled using the Java configuration below    EnableWebSecurity  Configuration public class WebSecurityConfig extends    WebSecurityConfigurerAdapter       Override   protected void configure HttpSecurity http  throws Exception       http        headers   disable

[java] How to disable 'X-Frame-Options' response header in Spring Security?

Examples related to java

Examples related to spring

Examples related to spring-security

Examples related to spring-boot

Examples related to x-frame-options