X-Frame-Options Plugin

0 vote
Dependency :
compile ":xframeoptions:1.0"

Documentation Source Issues


Servlet filter that adds a X-Frame-Options response header.


Grails X-Frame-Options Plugin

Filter to set HTTP response header X-Frame-Options to defend against ClickJacking.

More information about using X-Frame-Options for defending against clickjacking:


Add a dependency to grails-app/conf/BuildConfig.groovy :

plugins {
    runtime (':xframeoptions:1.0')

The default configuration installs a servlet filter for the URL pattern /* that adds a response header X-Frame-Options with the value DENY .


The plugin is configured through grails-app/conf/Config.groovy .

We can limit the URL pattern the filter is applied to:

grails.plugin.xframeoptions.urlPattern = '/path/*'

We can also set multiple patterns:

grails.plugin.xframeoptions.urlPattern = ['/path/*', '/other/*']

We can set different header values based on the configuration. To set the header value DENY we must use the following configuration:

grails.plugin.xframeoptions.deny = true

This is also the default value if no configuration is provided or no configuration options are set.

To set the header value SAMEORIGIN we must use the following configuration:

grails.plugin.xframeoptions.sameOrigin = true

To set the header value ALLOW-FROM with a URL we must use the following configuration:

grails.plugin.xframeoptions.allowFrom = 'http://www.mrhaki.com'

To disable the filter we must use the following configuration option:

grails.plugin.xframeoptions.enabled = false

The filter is enabled by default and will use the DENY header value.