Search code examples
javareactjsspring-securityx-frame-optionsclickjacking

X-Frame-Options: DENY works only on backend port endpoints


So since i'm working on spring security i've setted the headers.frameOptions to DENY, when i try this by putting my backend endpoint in an iframe which is localhost:8080 here , everything is working perfectly fine, the thing is, when i put the frontend localhost:3000 in iframe, nothing happens and the application is displayed in the iframe. i'm thinking that the headers configuration i'm doing are applying only on APIs and not at the start of the application

at the start of the application as you can see there is no configuration : X-Frame-Options: DENY Here after i send an API

here is the function

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.headers()
            .httpStrictTransportSecurity()
            .maxAgeInSeconds(31536000)
            .includeSubDomains(true);

    http.headers()
            .contentTypeOptions();
    http.cors().and()
            .headers()
            .xssProtection()
            .and()
            .contentSecurityPolicy("script-src 'self'")
            .and()
            .httpStrictTransportSecurity().includeSubDomains(true).maxAgeInSeconds(31536000)
            .and()
            .contentSecurityPolicy("frame-ancestors 'none'")
            .and()
            .frameOptions()
            .deny()
            .and()
            .csrf()
            .disable()
            .formLogin().defaultSuccessUrl("/swagger-ui.html", true).and()
            .authorizeRequests().antMatchers(AUTH_LIST).authenticated()
            .antMatchers("/actuator/**").access("hasAnyRole('ADMIN') and hasIpAddress('127.0.0.1')")
            .anyRequest().permitAll()
            .and().httpBasic();
}

Solution

  • I finally resolved this issue by configuring the frontend web.xml file by following this if u're using nginx as a server you can add :

    Header always set X-Frame-Options "SAMEORIGIN"

    if you're using any other server u can check mdn,

    to conclude, if you're working on a full stack application you have to configure the server configuration file otherwise spring security won't prevent you from clickjacking.