Issue
I am building a small spring boot/ angular app that will be diplayed inside an iframe of another app. Basically a small tool for adding / editing contracts. I have not implemented spring security, because the whole authentication thing is done by the parent app. There is only 1 way to reach my app, through that another app. The parent app will send me the login and thats all. The problem is, I cannot open my app inside the another, because of the x-frame-options: deny header. Is there a way to change this header without implementing the whole spring security thing. Or maybe implementing only the HttpSecurity part with disabling x-frame-options. Implementing the whole spring security would be an overkill for that small app, so I really hope there is some another option in spring boot, or maybe server side (WildFly 20). I am using spring boot 2.7.0. Thanks in advance.
Solution
If you implement Content-Security-Policy frame-ancestors directive it will override X-Frame-Options (Except for IE, which no longer should be a problem). You need to find a way to set the header in the same response as X-Frame-Options, this could likely be in code, webserver, proxy, or a load balancer. In the frame-ancestors directive, list the host names of all allowed hosts.
Answered By - Halvor Sakshaug
Answer Checked By - Pedro (JavaFixing Volunteer)