mirror of
https://github.com/arsvendg/Stirling-PDF.git
synced 2026-07-16 19:33:11 +02:00
xframe fix new (#5580)
# Description of Changes <!-- Please provide a summary of the changes, including: - What was changed - Why the change was made - Any challenges encountered Closes #(issue_number) --> --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details.
This commit is contained in:
@@ -164,6 +164,7 @@ public class ApplicationProperties {
|
|||||||
private String customGlobalAPIKey;
|
private String customGlobalAPIKey;
|
||||||
private Jwt jwt = new Jwt();
|
private Jwt jwt = new Jwt();
|
||||||
private Validation validation = new Validation();
|
private Validation validation = new Validation();
|
||||||
|
private String xFrameOptions = "DENY";
|
||||||
|
|
||||||
public Boolean isAltLogin() {
|
public Boolean isAltLogin() {
|
||||||
return saml2.getEnabled() || oauth2.getEnabled();
|
return saml2.getEnabled() || oauth2.getEnabled();
|
||||||
|
|||||||
@@ -81,6 +81,7 @@ security:
|
|||||||
revocation:
|
revocation:
|
||||||
mode: none # Revocation checking mode: 'none' (disabled), 'ocsp' (OCSP only), 'crl' (CRL only), 'ocsp+crl' (OCSP with CRL fallback)
|
mode: none # Revocation checking mode: 'none' (disabled), 'ocsp' (OCSP only), 'crl' (CRL only), 'ocsp+crl' (OCSP with CRL fallback)
|
||||||
hardFail: false # Fail validation if revocation status cannot be determined (true=strict, false=soft-fail)
|
hardFail: false # Fail validation if revocation status cannot be determined (true=strict, false=soft-fail)
|
||||||
|
xFrameOptions: DENY # X-Frame-Options header value. Options: 'DENY' (default, prevents all framing), 'SAMEORIGIN' (allows framing from same domain), 'DISABLED' (no X-Frame-Options header sent). Note: automatically set to DISABLED when login is disabled
|
||||||
|
|
||||||
premium:
|
premium:
|
||||||
key: 00000000-0000-0000-0000-000000000000
|
key: 00000000-0000-0000-0000-000000000000
|
||||||
|
|||||||
+25
@@ -201,6 +201,31 @@ public class SecurityConfiguration {
|
|||||||
|
|
||||||
http.csrf(CsrfConfigurer::disable);
|
http.csrf(CsrfConfigurer::disable);
|
||||||
|
|
||||||
|
// Configure X-Frame-Options based on settings.yml configuration
|
||||||
|
// When login is disabled, automatically disable X-Frame-Options to allow embedding
|
||||||
|
if (!loginEnabledValue) {
|
||||||
|
http.headers(headers -> headers.frameOptions(frameOptions -> frameOptions.disable()));
|
||||||
|
} else {
|
||||||
|
String xFrameOption = securityProperties.getXFrameOptions();
|
||||||
|
if (xFrameOption != null) {
|
||||||
|
http.headers(headers -> {
|
||||||
|
if ("DISABLED".equalsIgnoreCase(xFrameOption)) {
|
||||||
|
headers.frameOptions(frameOptions -> frameOptions.disable());
|
||||||
|
} else if ("SAMEORIGIN".equalsIgnoreCase(xFrameOption)) {
|
||||||
|
headers.frameOptions(frameOptions -> frameOptions.sameOrigin());
|
||||||
|
} else {
|
||||||
|
// Default to DENY
|
||||||
|
headers.frameOptions(frameOptions -> frameOptions.deny());
|
||||||
|
}
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
// If not configured, use default DENY
|
||||||
|
http.headers(headers ->
|
||||||
|
headers.frameOptions(frameOptions -> frameOptions.deny())
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (loginEnabledValue) {
|
if (loginEnabledValue) {
|
||||||
|
|
||||||
http.addFilterBefore(
|
http.addFilterBefore(
|
||||||
|
|||||||
@@ -4527,6 +4527,13 @@ description = "Maximum number of failed login attempts before account lockout"
|
|||||||
label = "Login Reset Time (minutes)"
|
label = "Login Reset Time (minutes)"
|
||||||
description = "Time before failed login attempts are reset"
|
description = "Time before failed login attempts are reset"
|
||||||
|
|
||||||
|
[admin.settings.security.xFrameOptions]
|
||||||
|
label = "X-Frame-Options"
|
||||||
|
description = "Controls whether the application can be embedded in iframes"
|
||||||
|
deny = "Deny (Prevents all framing)"
|
||||||
|
sameorigin = "Same Origin (Allow framing from same domain)"
|
||||||
|
disabled = "Disabled (No X-Frame-Options header)"
|
||||||
|
|
||||||
[admin.settings.security.csrfDisabled]
|
[admin.settings.security.csrfDisabled]
|
||||||
label = "Disable CSRF Protection"
|
label = "Disable CSRF Protection"
|
||||||
description = "Disable Cross-Site Request Forgery protection (not recommended)"
|
description = "Disable Cross-Site Request Forgery protection (not recommended)"
|
||||||
|
|||||||
+23
@@ -16,6 +16,7 @@ interface SecuritySettingsData {
|
|||||||
loginMethod?: string;
|
loginMethod?: string;
|
||||||
loginAttemptCount?: number;
|
loginAttemptCount?: number;
|
||||||
loginResetTimeMinutes?: number;
|
loginResetTimeMinutes?: number;
|
||||||
|
xFrameOptions?: string;
|
||||||
jwt?: {
|
jwt?: {
|
||||||
persistence?: boolean;
|
persistence?: boolean;
|
||||||
enableKeyRotation?: boolean;
|
enableKeyRotation?: boolean;
|
||||||
@@ -125,6 +126,7 @@ export default function AdminSecuritySection() {
|
|||||||
'security.loginMethod': securitySettings.loginMethod,
|
'security.loginMethod': securitySettings.loginMethod,
|
||||||
'security.loginAttemptCount': securitySettings.loginAttemptCount,
|
'security.loginAttemptCount': securitySettings.loginAttemptCount,
|
||||||
'security.loginResetTimeMinutes': securitySettings.loginResetTimeMinutes,
|
'security.loginResetTimeMinutes': securitySettings.loginResetTimeMinutes,
|
||||||
|
'security.xFrameOptions': securitySettings.xFrameOptions,
|
||||||
// JWT settings
|
// JWT settings
|
||||||
'security.jwt.persistence': securitySettings.jwt?.persistence,
|
'security.jwt.persistence': securitySettings.jwt?.persistence,
|
||||||
'security.jwt.enableKeyRotation': securitySettings.jwt?.enableKeyRotation,
|
'security.jwt.enableKeyRotation': securitySettings.jwt?.enableKeyRotation,
|
||||||
@@ -280,6 +282,27 @@ export default function AdminSecuritySection() {
|
|||||||
disabled={!loginEnabled}
|
disabled={!loginEnabled}
|
||||||
/>
|
/>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
<div>
|
||||||
|
<Select
|
||||||
|
label={
|
||||||
|
<Group gap="xs">
|
||||||
|
<span>{t('admin.settings.security.xFrameOptions.label', 'X-Frame-Options')}</span>
|
||||||
|
<PendingBadge show={isFieldPending('xFrameOptions')} />
|
||||||
|
</Group>
|
||||||
|
}
|
||||||
|
description={t('admin.settings.security.xFrameOptions.description', 'Controls whether the application can be embedded in iframes')}
|
||||||
|
value={settings?.xFrameOptions || 'DENY'}
|
||||||
|
onChange={(value) => setSettings({ ...settings, xFrameOptions: value || 'DENY' })}
|
||||||
|
data={[
|
||||||
|
{ value: 'DENY', label: t('admin.settings.security.xFrameOptions.deny', 'Deny (Prevents all framing)') },
|
||||||
|
{ value: 'SAMEORIGIN', label: t('admin.settings.security.xFrameOptions.sameorigin', 'Same Origin (Allow framing from same domain)') },
|
||||||
|
{ value: 'DISABLED', label: t('admin.settings.security.xFrameOptions.disabled', 'Disabled (No X-Frame-Options header)') },
|
||||||
|
]}
|
||||||
|
comboboxProps={{ zIndex: 1400 }}
|
||||||
|
disabled={!loginEnabled}
|
||||||
|
/>
|
||||||
|
</div>
|
||||||
</Stack>
|
</Stack>
|
||||||
</Paper>
|
</Paper>
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user