Servlet filter that adds an X-Frame-Options response header to defend against clickjacking.
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
ci/bin
gradle/wrapper
grails-app/conf
src
.gitignore
.travis.yml
README.adoc
build.gradle
gradle.properties
gradlew
gradlew.bat
grails-wrapper.jar
grailsw
grailsw.bat
settings.gradle

README.adoc

Grails X-Frame-Options Plugin

Filter to set HTTP response header X-Frame-Options to defend against ClickJacking.

More information about using X-Frame-Options for defending against clickjacking:

Installation

These instructions are targeted towards Grails 3 installations. For Grails 2.x refer to branch 1.x of the plugin.

Add a dependency to build.gradle:

...
dependencies {
    ...
    runtime ('org.grails.plugins:x-frame-options:1.1.2')
    ...
}
...

The default configuration installs a servlet filter for the URL pattern /* that adds a response header X-Frame-Options with the value DENY.

Configuration

The plugin is configured through grails-app/conf/application.yml.

We can limit the URL pattern the filter is applied to:

grails:
    plugin:
        xframeoptions:
            urlPattern: /path/*

We can also set multiple patterns:

grails:
    plugin:
        xframeoptions:
            urlPattern:
                - /path/*
                - /other/*

We can set different header values based on the configuration. To set the header value DENY we must use the following configuration:

grails:
    plugin:
        xframeoptions:
            deny: true

This is also the default value if no configuration is provided or no configuration options are set.

To set the header value SAMEORIGIN we must use the following configuration:

grails:
    plugin:
        xframeoptions:
            sameOrigin: true

To set the header value ALLOW-FROM with a URL we must use the following configuration:

grails:
    plugin:
        xframeoptions:
            allowFrom: http://www.mrhaki.com

To disable the filter we must use the following configuration option:

grails:
    plugin:
        xframeoptions:
            enabled: false

The filter is enabled by default and will use the DENY header value.