ClickJacking过滤器以添加X-FRAME-OPTIONS作为响应 [英] ClickJacking Filter to add X-FRAME-OPTIONS in response

问题描述

为了解决clickJacking和阻止我的网站被iframe打开的问题，我创建了一个servlet过滤器，在其中添加以下行以添加"X-FRAME-OPTIONS"响应标头.但是，当我运行页面并看到该页面的响应标头时，我再也找不到该标头了.知道为什么吗?

In order to tackle clickJacking and blocking my site to be opened by iframe I have created a servlet filter in which I am adding below line to add "X-FRAME-OPTIONS" response header. But when I run page and see response headers of that page I never get this header in there. Any Idea why?

public void doFilter(
        ServletRequest request, ServletResponse response, FilterChain chain
        ) throws IOException, ServletException
    {

        HttpServletResponse res = (HttpServletResponse)response;
        chain.doFilter(request, response);

        //Specify the mode
        res.addHeader("X-FRAME-OPTIONS", "DENY");
    }

推荐答案

您需要在调用doFilter之前添加标头.到时间控件从doFilter返回时，标题和正文已经发送完毕，因此您的addHeader将被忽略.

You need to add the header before calling doFilter. By the time control returns from doFilter the headers and body have already been sent, so your addHeader is ignored.

这篇关于ClickJacking过滤器以添加X-FRAME-OPTIONS作为响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！