enable X-Frame-Options header in spring-boot application (without spring security)

java spring http security clickjacking

gstackoverflow · Feb 16, 2018 · Viewed 7k times · Source

Security team tested our application and the found following warning:

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

We use spring boot in our application but we don't use spring security. We use our custom security mechanism.

Is there way to add this header into all responses?

Answer

You can create a custom filter and set header there:

public class XFrameFilter extends OncePerRequestFilter {

    @Override
    protected void doFilterInternal(HttpServletRequest httpRequest,
                                    HttpServletResponse httpResponse,
                                    FilterChain filterChain) throws ServletException, IOException {
        httpResponse.setHeader("X-FRAME-OPTIONS", "DENY");

        filterChain.doFilter(httpRequest, httpResponse);
    }
}

enable X-Frame-Options header in spring-boot application (without spring security)

Answer

Related questions