diff --git a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
index 0a03bf56519019342b8b2bb8e411eb4162d4fbcc..6738b486956c98a10b810e82cd0c5e4b0cf6a36c 100644
--- a/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+++ b/perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
@@ -134,6 +134,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Userinfo endpoint -->
@@ -147,6 +150,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Introspection endpoint -->
@@ -163,6 +169,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Dynamic registration endpoint -->
@@ -176,6 +185,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Revocation endpoint -->
@@ -192,6 +204,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Device endpoint -->
@@ -209,6 +224,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- JWK endpoint -->
@@ -221,6 +239,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- Well-known -->
@@ -233,6 +254,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!--Static resources -->
@@ -244,6 +268,9 @@
<security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<!-- GUI -->
@@ -255,6 +282,9 @@
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<security:http auto-config="false"
@@ -284,6 +314,9 @@
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="authProcFilters" before="LAST"/>
<security:logout logout-url="/saml/logout"/>
+ <security:headers>
+ <security:frame-options policy="SAMEORIGIN"/>
+ </security:headers>
</security:http>
<security:authentication-manager id="clientAuthenticationManager">