I made an embed page with Spring-boot. The one to show from other sites with iframe. At this time, Spring Security was introduced and the HTTP header "X-Frame-Options" was set to DENY by default, and the embedded page was not displayed.

Since this X-Frame-Options itself should be DENY in order to suppress clickjacking on ordinary pages, I decided that it is better to set not to send this header only on the embedding page. However, "setting X-Frame-Options only for a specific URL" was a little complicated, so I summarized it.

I think that other HTTP Headers can be set for each URL if necessary (unverified).


Target URLX-Frame-Options**Do not send the header itself
Other than the above URLDENY (default)


People with the same worries are on Stack overflow. So, this time I referred to this.

Disable X-FrameOptions response header for a URL Spring Security JAVA config


If you set it with the same "configure (HttpSecurity http)", all URLs will be affected. It seems that the key is to prepare multiple extended WebSecurityConfigurerAdapters.

public class WebMVCSecurity {
    //Make settings for authentication. option. This is just a sample, X-Frame-It does not affect Options, so you can change it.
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
                .withUser("admin").password("password").roles("USER", "ADMIN");

    //This is the most important.
    //Create an instance of WebSecurityConfigurerAdapter.@Set the reading order with the Order annotation.
    public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {
            // 「"/contents/embed/**"Specify the URL you want to apply.
            //This time I wanted to set no header, so ".headers().frameOptions().disable()".
            // 「.headers().frameOptions().sameOrigin()There are also settings such as ", so please check it out.

    //Create another instance of WebSecurityConfigurerAdapter.
    // 「"/contents/embed/**"The settings here are applied to URLs that do not correspond to.
    // @If you do not add the Order annotation, other@It is said that it will be loaded after Order.
    public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
        protected void configure(HttpSecurity http) throws Exception {

            //etc. Please set according to the project.

that's all.

[JAVA] Set HTTP headers (X-Frame-Options) only for specific URLs in Spring Security

标签: none