how do I set X-Frame-Options response header to allow-from value(s) using spring java config?

Kamal Joshi picture Kamal Joshi · Oct 1, 2015 · Viewed 17.7k times · Source

How do I set X-Frame-Options response header with a value of allow-from using spring java config?

http.headers().disable()
    .addHeaderWriter(new XFrameOptionsHeaderWriter(
      new WhiteListedAllowFromStrategy(
        Arrays.asList("https://example1.com", "https://example2.com"))));

In Http Response headers I get:

X-Frame-Options:"ALLOW-FROM DENY".

Why aren't my origins listed in the header value?

Answer

Kamal Joshi picture Kamal Joshi · Oct 12, 2015

I ended up adding my headers statically like below:

http
    .headers().frameOptions().disable()
    .addHeaderWriter(new StaticHeadersWriter("X-FRAME-OPTIONS", "ALLOW-FROM example1.com"));