Search

X-Frame-Options may only be se via an HTTP header sen along with a document.

νƒœκ·Έ
html

X-Frame-Options 와 Spring security

μ›Ήμ†ŒμΌ“μ„ μ΄μš©ν•΄ μ‹€μ‹œκ°„ μ±„νŒ… ν”„λ‘œκ·Έλž¨μ„ λ§Œλ“€μ—ˆλŠ”λ°, μ‹€ν–‰ν•΄λ³΄λ‹ˆ λ‹€μŒκ³Ό 같은 μ—λŸ¬κ°€ λ‚˜νƒ€λ‚¬μŠ΅λ‹ˆλ‹€. 이유λ₯Ό μ°Ύμ•„λ³΄λ‹ˆ spring security 버전 4.0.x 이상 λΆ€ν„°λŠ” 기본적으둜 X-Frame-Options Click jacking 곡격을 λ§‰μ•„μ£ΌλŠ” 섀정을 ν•˜λ„λ‘ λ˜μ–΄μžˆκΈ° λ•Œλ¬Έμ΄μ˜€μŠ΅λ‹ˆλ‹€.
Click jacking κ³΅κ²©μ΄λž€?
Clickjacking
Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
https://en.wikipedia.org/wiki/Clickjacking
κ°„λ‹¨νžˆ λ§ν•˜λ©΄ μ–΄λ–€ μ›Ή νŽ˜μ΄μ§€ ν˜Ήμ€ λ²„νŠΌμ„ ν΄λ¦­ν•˜μ§€λ§Œ μ‹€μ œλ‘œλŠ” λ‹€λ₯Έ νŽ˜μ΄μ§€μ˜ 컨텐츠λ₯Ό ν΄λ¦­ν•˜κ²Œλ˜λŠ” 것을 λ§ν•©λ‹ˆλ‹€.

ν•΄κ²°λ°©μ•ˆ

X-Frame-Options μ’…λ₯˜λ‘œλŠ” μ•„λž˜ 3가지가 μžˆμŠ΅λ‹ˆλ‹€.
β€’
DENY : ν•΄λ‹Ή νŽ˜μ΄μ§€λŠ” frame 을 ν‘œμ‹œν•  수 μ—†μŒ (μ—λŸ¬μ˜ 원인)
β€’
SAMEORIGIN : ν•΄λ‹Ή νŽ˜μ΄μ§€μ™€ λ™μΌν•œ origin 에 ν•΄λ‹Ήν•˜λŠ” frame 만 ν‘œμ‹œκ°€λŠ₯
β€’
ALLOW-FROM uri : ν•΄λ‹Ή νŽ˜μ΄μ§€λŠ” μ§€μ •λœ origin 에 ν•΄λ‹Ήν•˜λŠ” frame 만 ν‘œμ‹œ
저희 ν”„λ‘œμ νŠΈμ˜ 경우 μŠ€ν”„λ§ μ‹œνλ¦¬ν‹° 5.7.6 버전을 μ“°κ³ μžˆκΈ° λ•Œλ¬Έμ— 이런 μ—λŸ¬κ°€ λ°œμƒν–ˆκ³ , μ΄μ€‘μ—μ„œ λ‘λ²ˆμ§Έ μ˜΅μ…˜μ„ μ΄μš©ν•˜μ—¬ ν•΄κ²°ν•˜μ˜€μŠ΅λ‹ˆλ‹€.