io.camunda.security.configuration.headers.FrameOptionsConfig

public class FrameOptionsConfig extends Object

Configures X-Frame-Options header to prevent clickjacking attacks. Disabled by default to avoid breaking functionality, such as PDF preview in the Tasklist.

The X-Frame-Options header indicates whether a browser should be allowed to render a page in a frame, iframe, embed, or object. This prevents clickjacking attacks where malicious sites trick users into clicking on hidden elements.

When enabled with SAMEORIGIN value, pages can only be displayed in frames on the same origin. This allows legitimate same-origin framing while preventing cross-origin clickjacking.

Note: Modern applications should also use Content-Security-Policy frame-ancestors directive which provides more granular control and supersedes X-Frame-Options in supporting browsers. However, X-Frame-Options should still be included for compatibility with older browsers.

See Also:

Constructor Summary

Constructors

Constructor

Description

FrameOptionsConfig()
Method Summary

Modifier and Type

Method

Description

boolean

disabled()

FrameOptionMode

getMode()

boolean

isEnabled()

void

setEnabled(boolean enabled)

void

setMode(FrameOptionMode mode)

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details
- FrameOptionsConfig
  
  public FrameOptionsConfig()
Method Details
- isEnabled
  
  public boolean isEnabled()
- setEnabled
  
  public void setEnabled(boolean enabled)
- disabled
  
  public boolean disabled()
- getMode
  
  public FrameOptionMode getMode()
- setMode
  
  public void setMode(FrameOptionMode mode)

Class FrameOptionsConfig

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Details

FrameOptionsConfig

Method Details

isEnabled

setEnabled

disabled

getMode

setMode