2022年2月

background

I made an embed page with Spring-boot. The one to show from other sites with iframe. At this time, Spring Security was introduced and the HTTP header "X-Frame-Options" was set to DENY by default, and the embedded page was not displayed.

Since this X-Frame-Options itself should be DENY in order to suppress clickjacking on ordinary pages, I decided that it is better to set not to send this header only on the embedding page. However, "setting X-Frame-Options only for a specific URL" was a little complicated, so I summarized it.

I think that other HTTP Headers can be set for each URL if necessary (unverified).

- 阅读剩余部分 -