如何在 Spring Security 中禁用“ X-Frame-Options”响应头？

By default X-Frame-Options is set to denied, to prevent clickjacking attacks. To override this, you can add the following into your spring security config

<http>
<headers>
<frame-options policy="SAMEORIGIN"/>
</headers>
</http>

Here are available options for policy

• DENY - is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN - I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
• ALLOW-FROM - Allows you to specify an origin, where the page can be displayed in a frame.

For more information take a look here.

And here to check how you can configure the headers using either XML or Java configs.

Note, that you might need also to specify appropriate strategy, based on needs.

If you're using Java configs instead of XML configs, put this in your WebSecurityConfigurerAdapter.configure(HttpSecurity http) method:

http.headers().frameOptions().disable();

Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN. If you are using the Java Configs (Spring Boot) and would like to allow the X-Frame-Options: SAMEORIGIN, then you would need to use the following.

For older Spring Security versions:

http
.headers()
.addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

For newer versions like Spring Security 4.0.2:

http
.headers()
.frameOptions()
.sameOrigin();

If using XML configuration you can use

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security">
<security:http>
<security:headers>
<security:frame-options disabled="true"></security:frame-options>
</security:headers>
</security:http>
</beans>

If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.* properties. In particular, if you want to disable the X-Frame-Options default header, just add the following to your application.properties:

security.headers.frame=false

There is also security.headers.cache, security.headers.content-type, security.headers.hsts and security.headers.xss properties that you can use. For more information, take a look at SecurityProperties.

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {


@Override
protected void configure(HttpSecurity http) throws Exception {
http
.headers().disable()
...;
}
}

You should configure multiple HttpSecurity instances.

Here is my code where only /public/** requests are without X-Frame-Options header.

@Configuration
public class SecurityConfig {


/**
* Public part - Embeddable Web Plugin
*/


@Configuration
@Order(1)
public static class EmbeddableWebPluginSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
protected void configure(HttpSecurity http) throws Exception {
// Disable X-Frame-Option Header
http.antMatcher("/public/**").headers().frameOptions().disable();
}
}


/**
* Private part - Web App Paths
*/


@Configuration
@EnableOAuth2Sso
public static class SSOWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {


http
.csrf().disable()
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/public/**", "/", "/login**", "/webjars/**", "/error**", "/static/**", "/robots", "/robot", "/robot.txt", "/robots.txt")
.permitAll()
.anyRequest()
.authenticated()
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/bye");
}


/**
* Public API endpoints
*/


@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/api/**");
}
}
}

.csrf().disable() its to dangerous.

test:

.headers().frameOptions().sameOrigin()