问题
I was going through different solutions available for preventing clickjacking in a grails application. One of the solutions was using X-Frame. So, I found a grails plugin, X-Frame-Options Plugin, by mrhaki.
It is serving my purpose of adding a response header
X-Frame:DENY
to every response. Great!
I read there was a modern solution - Content-Security-Policy header. I'm unable to configure this for my Grails application. Could someone help?
回答1:
The X-Frame-Options plugin is simple and inserts a servlet filter to add a header to requests. For your situation I'd recommend creating your own servlet filter to add the Content-Security-Policy headers.
You can see an example here of how to add a header: https://github.com/mrhaki/grails-x-frame-options-plugin/blob/df230a9f01cd2e1c6ac4be6d9eac41fbcae48293/src/main/groovy/com/mrhaki/grails/plugin/xframeoptions/web/XFrameOptionsFilter.groovy#L69
Another option would be to use your web server infront of your app (apache httpd or nginx) to add the headers.
来源:https://stackoverflow.com/questions/49357233/configuring-content-security-policy-header-for-grails-2-5-application