Tomcat set x-frame-option

1. If the catalina.jar Among them org.apache.catalina . filters.HttpHeaderSecurityFilter

Both Apache Tomcat 7.0.90 and Tomcat 8 have httpheadersecurityfilter

It can be found in cattomconf web.xml Add the following filters in

<filter&>
  <filter-name&>httpHeaderSecurity</filter-name&>
  <filter-class&>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&>
  <init-param&>
    <param-name&>antiClickJackingEnabled</param-name&>
    <param-value&>true</param-value&>
  </init-param&>
  <init-param&>
    <param-name&>antiClickJackingOption</param-name&>
    <param-value&>SAMEORIGIN</param-value&>
  </init-param&>
  <async-supported&>true</async-supported&>
</filter&>
<filter-mapping&>
  <filter-name&>httpHeaderSecurity</filter-name&>
  <url-pattern&>/*</url-pattern&>
</filter-mapping&>

2. If there is no httpheadersecurity filter, you need to write your own filter, add the following code, and configure the interception in the project.

HttpServletResponse response = (HttpServletResponse) sResponse;
response.addHeader("x-frame-options","SAMEORIGIN");

X-FRAME-OPTIONS has three values:

DENY

It means that the page is not allowed to be displayed in frame, even if it is nested in the same domain name page.

SAMEORIGIN

Indicates that the page can be displayed in the frame of the same domain name page.

ALLOW-FROMuri

Indicates that the page can be displayed in the frame of the specified source.

In other words, if it is set to deny, it will not only fail to load when someone else’s website frame is embedded, but also fail to load in the same domain name page.

On the other hand, if sameorigin is set, the page can be nested in the frame of the same domain name page.

Read the full text

Report

Reward

0 like

0 collection

wechat

microblog

DebugAH

How to Solve Your Programmer Error

Tomcat set x-frame-option

Both Apache Tomcat 7.0.90 and Tomcat 8 have httpheadersecurityfilter

Other popular articles by the author

Similar Posts: