how do I set X-Frame-Options response header to allow-from value(s) using spring java config?

spring-security http-headers spring-java-config x-frame-options
Kamal Joshi picture Kamal Joshi · Oct 1, 2015 · Viewed 17.7k times · Source

How do I set X-Frame-Options response header with a value of allow-from using spring java config?

http.headers().disable()
    .addHeaderWriter(new XFrameOptionsHeaderWriter(
      new WhiteListedAllowFromStrategy(
        Arrays.asList("https://example1.com", "https://example2.com"))));

In Http Response headers I get:

X-Frame-Options:"ALLOW-FROM DENY".

Why aren't my origins listed in the header value?

Answer

Kamal Joshi picture Kamal Joshi · Oct 12, 2015

I ended up adding my headers statically like below:

http
    .headers().frameOptions().disable()
    .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM example1.com"));

Related questions

How to setup Access-Control-Allow-Origin filter problematically in Spring Security 3.2

I am trying to setup my Spring server with Spring Security 3.2 to be able to do an ajax login request. I followed the Spring Security 3.2 video and couple of posts but the issue is that I am getting No 'Access-Control-Allow-Origin' …

Read More
Zuul Proxy CORS header contains multiple values, headers repeated twice - Java Spring Boot CORS filter config

Why would I be getting every CORS header doubled? I am using the Zuul Proxy to have the request to a service proxied through an API gateway. I must have something misconfigured with my spring security filtering order. When I …

Read More
How to fix Hibernate LazyInitializationException: failed to lazily initialize a collection of roles, could not initialize proxy - no Session

In the custom AuthenticationProvider from my spring project, I am trying read the list of authorities of the logged user, but I am facing the following error: org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: com.horariolivre.…

Read More