X-Frame-Options:DENY不适用于Spring Boot REST API [英] X-Frame-Options: DENY is not working for spring boot REST API

问题描述

我的项目将ExtJ作为前端，将Spring Boot作为后端. ExtJs将调用spring boot，它将使用JSON进行响应.我想防止我的项目中的clickjacking攻击.我有一个简单的html脚本，它将仅将网站加载到iframe中.如果网站在iframe中加载，则表明它不安全.我在spring boot REST API响应中添加了以下标志X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none';以防止即便如此，这仍不能阻止我的应用程序加载到iframe中.用于检查是否可以进行点击劫持的代码是

My Project has ExtJs as Front end and Spring boot as backend. ExtJs will call spring boot which will respond with JSON. I wanted to prevent clickjacking attack in my project. I have a simple html script, which will just load the website in an iframe.If the website is loaded within iframe, then it means it is not secure.I have added the following flags X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none'; in spring boot REST API response to prevent that.But even then, it is not preventing my application to be loaded in iframe. The code to check if clickjacking is possible is

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://localhost:8000" width="1000" height="1000"></iframe>
</body>
</html>

`

在这里，localhost:8000指的是extjs URL.我研究发现，防止单击劫持的客户端验证不是那么有效.那么，在我的项目中是否有任何选项可以防止点击劫持攻击

Here, localhost:8000 refers to extjs URL.I researched and found out that client side validations to prevent clickjacking is not that effective. So is there any options to prevent clickjacking attack in my project

推荐答案

此问题已通过在apache服务器conf文件中设置Header always append X-Frame-Options DENY 来解决.

The issue was resolved by setting Header always append X-Frame-Options DENY in apache server conf file

这篇关于X-Frame-Options:DENY不适用于Spring Boot REST API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！