Skip to content
Snippets Groups Projects
Verified Commit f1da5522 authored by Jan Pavlíček's avatar Jan Pavlíček
Browse files

feat: set x-frame-options to sameorigin instead to deny

parent 7d128730
No related branches found
No related tags found
1 merge request!404feat: set x-frame-options to sameorigin instead to deny
Pipeline #476728 passed
Stage: .pre
Stage: build
Stage: test
Hide whitespace changes
Inline Side-by-side
perun-oidc-server-webapp/src/main/webapp/WEB-INF/web-context.xml
+ 33
0
View file @ f1da5522
...@@ -134,6 +134,9 @@ ...@@ -134,6 +134,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" /> <security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- Userinfo endpoint --> <!-- Userinfo endpoint -->
...@@ -147,6 +150,9 @@ ...@@ -147,6 +150,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" /> <security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- Introspection endpoint --> <!-- Introspection endpoint -->
...@@ -163,6 +169,9 @@ ...@@ -163,6 +169,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" /> <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- Dynamic registration endpoint --> <!-- Dynamic registration endpoint -->
...@@ -176,6 +185,9 @@ ...@@ -176,6 +185,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" /> <security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- Revocation endpoint --> <!-- Revocation endpoint -->
...@@ -192,6 +204,9 @@ ...@@ -192,6 +204,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" /> <security:custom-filter ref="clientCredentialsEndpointFilter" after="BASIC_AUTH_FILTER" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- Device endpoint --> <!-- Device endpoint -->
...@@ -209,6 +224,9 @@ ...@@ -209,6 +224,9 @@
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:access-denied-handler ref="oauthAccessDeniedHandler" /> <security:access-denied-handler ref="oauthAccessDeniedHandler" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- JWK endpoint --> <!-- JWK endpoint -->
...@@ -221,6 +239,9 @@ ...@@ -221,6 +239,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/> <security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- Well-known --> <!-- Well-known -->
...@@ -233,6 +254,9 @@ ...@@ -233,6 +254,9 @@
<security:custom-filter ref="logRequestFilter" after="FIRST"/> <security:custom-filter ref="logRequestFilter" after="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!--Static resources --> <!--Static resources -->
...@@ -244,6 +268,9 @@ ...@@ -244,6 +268,9 @@
<security:custom-filter ref="mdcFilter" before="FIRST"/> <security:custom-filter ref="mdcFilter" before="FIRST"/>
<security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" /> <security:custom-filter ref="corsFilter" after="SECURITY_CONTEXT_FILTER" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<!-- GUI --> <!-- GUI -->
...@@ -255,6 +282,9 @@ ...@@ -255,6 +282,9 @@
<security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" /> <security:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
<security:expression-handler ref="oauthWebExpressionHandler" /> <security:expression-handler ref="oauthWebExpressionHandler" />
<security:csrf disabled="true"/> <security:csrf disabled="true"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<security:http auto-config="false" <security:http auto-config="false"
...@@ -284,6 +314,9 @@ ...@@ -284,6 +314,9 @@
<security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/> <security:custom-filter ref="samlFilter" after="BASIC_AUTH_FILTER"/>
<security:custom-filter ref="authProcFilters" before="LAST"/> <security:custom-filter ref="authProcFilters" before="LAST"/>
<security:logout logout-url="/saml/logout"/> <security:logout logout-url="/saml/logout"/>
<security:headers>
<security:frame-options policy="SAMEORIGIN"/>
</security:headers>
</security:http> </security:http>
<security:authentication-manager id="clientAuthenticationManager"> <security:authentication-manager id="clientAuthenticationManager">
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment