Expected Behavior
Get a detailed information about when use and how works and the impact of other security settings when .headers().frameOptions().disable() is used.
All is mentioned here:
Current Behavior
Seems there is no detailed information to get more details
Context
Is not clear when is mandatory to use and if affects other configurations,
mostly about these three points:
- How does
.headers().frameOptions().disable()work? - Is safe to use that sentence for Production Environment? Consider the difference between
.csrf().ignoringAntMatchers("/h2-console/**")andcsrf().disable(), where the former is specific and the latter is "global" (and is not recommended). Therefore perhaps would be available a specific configuration much better than.headers().frameOptions().disable()(at a first glance for me is a "global" configuration) to only apply to/h2-console/ - Could
.headers().frameOptions().disable()have any negative effect, directly or indirectly, for otherconfigure(HttpSecurity http)configuration? (Mostly for Production)
Comment From: rwinch
Please see https://docs.spring.io/spring-security/site/docs/current/reference/html5/#headers-frame-options