December 17, 2013

Grails Plugin: Servlet Filter to Add X-Frame-Options Response Header

The Grails plugin X-Frame-Options adds a new servlet filter to our Grails application. The servlet filter adds a response header. The response header name is X-Frame-Options and is used to defend against clickjacking. If we set the value to DENY our Grails application cannot be loaded inside an iframe. The value SAMEORIGIN allows only pages on the same site to include the application inside an iframe. We can also set the header value ALLOW-FROM {origin} to allow only pages on the {oring} website can include the application with an iframe. The plugin allows to set these values through configuration options in our grails-app/conf/Config.groovy file.

The code is hosted on GitHub and also contains the documentation.