Tomcat set x-frame-option

1. If the catalina.jar Among them org.apache.catalina . filters.HttpHeaderSecurityFilter

Both Apache Tomcat 7.0.90 and Tomcat 8 have httpheadersecurityfilter

It can be found in cattomconf web.xml Add the following filters in

<filter&>
  <filter-name&>httpHeaderSecurity</filter-name&>
  <filter-class&>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class&>
  <init-param&>
    <param-name&>antiClickJackingEnabled</param-name&>
    <param-value&>true</param-value&>
  </init-param&>
  <init-param&>
    <param-name&>antiClickJackingOption</param-name&>
    <param-value&>SAMEORIGIN</param-value&>
  </init-param&>
  <async-supported&>true</async-supported&>
</filter&>
<filter-mapping&>
  <filter-name&>httpHeaderSecurity</filter-name&>
  <url-pattern&>/*</url-pattern&>
</filter-mapping&>

2. If there is no httpheadersecurity filter, you need to write your own filter, add the following code, and configure the interception in the project.

HttpServletResponse response = (HttpServletResponse) sResponse;
response.addHeader("x-frame-options","SAMEORIGIN"); 

X-FRAME-OPTIONS has three values:

DENY

It means that the page is not allowed to be displayed in frame, even if it is nested in the same domain name page.

SAMEORIGIN

Indicates that the page can be displayed in the frame of the same domain name page.

ALLOW-FROMuri

Indicates that the page can be displayed in the frame of the specified source.

In other words, if it is set to deny, it will not only fail to load when someone else’s website frame is embedded, but also fail to load in the same domain name page.

On the other hand, if sameorigin is set, the page can be nested in the frame of the same domain name page.

Read the full text

Copyright belongs to the author

Report

Reward

0 like

0 collection

wechat

QQ

microblog

share

Other popular articles by the author

Running docker container on bash on Windows

Specify port when Dubbo starts

Using winsw to deploy spring boot project on Windows Server

Record MySQL incorrect file format host error resolution

Similar Posts: