Filter to set HTTP response header X-Frame-Options to defend against ClickJacking.
More information about using X-Frame-Options for defending against clickjacking:
These instructions are targeted towards Grails 3 installations. For Grails 2.x refer to branch 1.x of the plugin.
Add a dependency to build.gradle:
...
dependencies {
...
runtime ('org.grails.plugins:x-frame-options:1.1.2')
...
}
...
The default configuration installs a servlet filter for the URL pattern /* that adds a response
header X-Frame-Options with the value DENY.
The plugin is configured through grails-app/conf/application.yml.
We can limit the URL pattern the filter is applied to:
grails:
plugin:
xframeoptions:
urlPattern: /path/*
We can also set multiple patterns:
grails:
plugin:
xframeoptions:
urlPattern:
- /path/*
- /other/*
We can set different header values based on the configuration.
To set the header value DENY we must use the following configuration:
grails:
plugin:
xframeoptions:
deny: true
This is also the default value if no configuration is provided or no configuration options are set.
To set the header value SAMEORIGIN we must use the following configuration:
grails:
plugin:
xframeoptions:
sameOrigin: true
To set the header value ALLOW-FROM with a URL we must use the following configuration:
grails:
plugin:
xframeoptions:
allowFrom: http://www.mrhaki.com
To disable the filter we must use the following configuration option:
grails:
plugin:
xframeoptions:
enabled: false
The filter is enabled by default and will use the DENY header value.