Hello everybody,

We are using spring boot and the x-frame-option seems to be activated by default

Screenshot from 2020-04-10 02-17-12

but in the HTTP response, it seems that it didn't recognize the x-frame-option parameter which has been set because it doesn't appear:

Content-Type: text/html
Content-Length: 3860
Connection: keep-alive
Expires: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-XSS-Protection: 1; mode=block
Pragma: no-cache
Accept-Ranges: bytes
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
X-Content-Type-Options: nosniff
Content-Language: en-US
Strict-Transport-Security: max-age=31536000

I don't know if it's a bug or I am the one which is not configuring something properly.

Thank you for your time

Comment From: mbhave

@pitsoleil I'm not sure what piece of code this screenshot is referring to. In Spring Boot itself, we don't configure anything related to x-frame-option header but instead rely on Spring Security's defaults. It is a default header that Spring Security includes in the response. If you're not seeing it, please create a Spring Security issue here. When you create the sample, providing a minimal sample that can be run to reproduce the issue would be helpful.

Comment From: pitsoleil

Hello @mbhave , thank you for your reply. I see it and the screenshot is referring to what seems to be configured by default when checking our configuration. So I don't understand why I can't see it in the headers when I analyze the HTTP header responses. That's why I thought it should be a bug or maybe there is something I don't understand properly.

If my question belongs to Spring Security, can you help me to move the topic there please?

Thank you