Grails X-Frame-Options Plugin

Filter to set HTTP response header X-Frame-Options to defend against ClickJacking.

More information about using X-Frame-Options for defending against clickjacking:

• OWASP - Defending with X-Frame-Options response headers

Installation

These instructions are targeted towards Grails 3 installations. For Grails 2.x refer to branch 1.x of the plugin.

Add a dependency to build.gradle:

...
dependencies {
    ...
    runtime ('org.grails.plugins:x-frame-options:1.1.2')
    ...
}
...

The default configuration installs a servlet filter for the URL pattern /* that adds a response header X-Frame-Options with the value DENY.

Configuration

The plugin is configured through grails-app/conf/application.yml.

We can limit the URL pattern the filter is applied to:

grails:
    plugin:
        xframeoptions:
            urlPattern: /path/*

We can also set multiple patterns:

grails:
    plugin:
        xframeoptions:
            urlPattern:
                - /path/*
                - /other/*

We can set different header values based on the configuration. To set the header value DENY we must use the following configuration:

grails:
    plugin:
        xframeoptions:
            deny: true

This is also the default value if no configuration is provided or no configuration options are set.

To set the header value SAMEORIGIN we must use the following configuration:

grails:
    plugin:
        xframeoptions:
            sameOrigin: true

To set the header value ALLOW-FROM with a URL we must use the following configuration:

grails:
    plugin:
        xframeoptions:
            allowFrom: http://www.mrhaki.com

To disable the filter we must use the following configuration option:

grails:
    plugin:
        xframeoptions:
            enabled: false

The filter is enabled by default and will use the DENY header value.