Hello everybody,
We are using spring boot and the x-frame-option seems to be activated by default
but in the HTTP response, it seems that it didn't recognize the x-frame-option parameter which has been set because it doesn't appear:
Content-Type: text/html
Content-Length: 3860
Connection: keep-alive
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Accept-Ranges: bytes
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
X-Content-Type-Options: nosniff
Content-Language: en-US
Strict-Transport-Security: max-age=31536000
I don't know if it's a bug or I am the one which is not configuring something properly.
Thank you for your time
Comment From: mbhave
@pitsoleil I'm not sure what piece of code this screenshot is referring to. In Spring Boot itself, we don't configure anything related to x-frame-option header but instead rely on Spring Security's defaults. It is a default header that Spring Security includes in the response. If you're not seeing it, please create a Spring Security issue here. When you create the sample, providing a minimal sample that can be run to reproduce the issue would be helpful.
Comment From: pitsoleil
Hello @mbhave , thank you for your reply. I see it and the screenshot is referring to what seems to be configured by default when checking our configuration. So I don't understand why I can't see it in the headers when I analyze the HTTP header responses. That's why I thought it should be a bug or maybe there is something I don't understand properly.
If my question belongs to Spring Security, can you help me to move the topic there please?
Thank you