MEDIUM clickjackingspring boot

Clickjacking in Spring Boot

Scan for clickjacking in spring boot

How Clickjacking Manifests in Spring Boot

Clickjacking attacks exploit the ability to embed a Spring Boot application within an iframe on a malicious site, tricking users into interacting with hidden elements. In Spring Boot applications, this vulnerability often appears in endpoints that return HTML content without proper frame-busting headers. For example, a Thymeleaf template rendering a form without X-Frame-Options headers can be loaded inside a zero-opacity iframe on an attacker's site. The attacker then overlays convincing UI elements on top, making users believe they're clicking a 'Download' button when they're actually submitting a CSRF token or transferring funds through a hidden banking endpoint.

Spring Boot's default configuration doesn't include X-Frame-Options headers, making this a common oversight. Applications using Spring Security 5.7+ have improved defaults, but many still expose endpoints that should never be framed. REST controllers returning JSON can also be vulnerable if they trigger state-changing operations without proper CSRF protection, and an attacker can use clickjacking to trick users into submitting malicious requests. The combination of Spring Boot's auto-configuration convenience and developers' focus on functionality over security often leaves these headers missing in production deployments.

Spring Boot-Specific Detection

Detecting clickjacking in Spring Boot applications requires examining both the HTTP response headers and the application's configuration. Using middleBrick's API security scanner, you can identify missing X-Frame-Options or Content-Security-Policy frame-ancestors directives across all endpoints. The scanner tests each URL by attempting to frame it and checking for the presence of anti-framing headers. For Spring Boot specifically, middleBrick analyzes your application's security configuration, including any custom WebSecurityConfigurerAdapter implementations that might override default security settings.

# Scan your Spring Boot API with middleBrick
middlebrick scan https://yourapp.com/api/user/profile

The scanner also examines OpenAPI specifications if provided, identifying endpoints that return HTML or have state-changing operations that could be exploited through clickjacking. middleBrick's LLM security module can detect if your Spring Boot application includes AI endpoints that might be vulnerable to prompt injection when framed. For comprehensive testing, middleBrick's continuous monitoring feature (Pro plan) can periodically rescan your endpoints, alerting you if new routes are added without proper anti-framing protections.

Spring Boot-Specific Remediation

Spring Boot provides several approaches to prevent clickjacking, with the most straightforward being the X-Frame-Options header. For Spring Boot applications using Spring Security, add this configuration to your WebSecurityConfigurerAdapter:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().deny();
        
        http.authorizeRequests()
            .antMatchers("/").permitAll()
            .anyRequest().authenticated();
    }
}

For applications not using Spring Security, you can add a filter that sets the X-Frame-Options header globally:

@Component
public class XFrameOptionsFilter implements Filter {
    
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, 
                         FilterChain chain) throws IOException, ServletException {
        if (response instanceof HttpServletResponse) {
            HttpServletResponse httpResp = (HttpServletResponse) response;
            httpResp.addHeader("X-Frame-Options", "DENY");
        }
        chain.doFilter(request, response);
    }
}

The Content-Security-Policy header provides more granular control and is recommended for modern Spring Boot applications:

@Configuration
public class SecurityConfig {
    
    @Bean
    public FilterRegistrationBean<XFrameOptionsFilter> xFrameOptionsFilter() {
        FilterRegistrationBean<XFrameOptionsFilter> registrationBean = 
            new FilterRegistrationBean<>();
        registrationBean.setFilter(new XFrameOptionsFilter());
        registrationBean.addUrlPatterns("/api/*");
        return registrationBean;
    }
}

For Spring Boot applications using Thymeleaf or other template engines, ensure your controller methods include the appropriate headers:

@Controller
public class UserController {
    
    @GetMapping("/profile")
    public String userProfile(Model model, HttpServletResponse response) {
        response.addHeader("X-Frame-Options", "DENY");
        response.addHeader("Content-Security-Policy", "frame-ancestors 'none'");
        // ... rest of method
        return "profile";
    }
}
Scan for clickjacking in spring boot Free API security scan

Frequently Asked Questions

Does Spring Boot's auto-configuration include any clickjacking protection by default?
No, Spring Boot's auto-configuration does not include X-Frame-Options or Content-Security-Policy headers by default. You must explicitly configure these headers through Spring Security or a custom filter. This is a common security gap in Spring Boot applications, especially those that don't use Spring Security's WebSecurityConfigurerAdapter.
Can clickjacking affect my Spring Boot REST APIs that return JSON?
Yes, clickjacking can affect REST APIs if they perform state-changing operations without proper CSRF protection. An attacker can frame your API endpoint and trick users into submitting malicious requests through hidden forms or JavaScript. Always pair anti-framing headers with CSRF tokens for any endpoint that modifies data.

Related Pages

Clickjacking in Spring Boot on Fly IoUnderstand clickjacking risks in Spring Boot exposed via Fly Io and implement concrete header-based fixes with code examClickjacking in Spring Boot on SupabaseAnalyzing clickjacking risks when Spring Boot integrates Supabase; concrete CSP and X-Frame-Options fixes with code examClickjacking in Spring Boot on RailwayDetect and remediate clickjacking in Spring Boot apps on Railway with frame-protection headers and secure coding practicHipaa: Clickjacking in Spring BootExplains clickjacking risks for HIPAA-facing Spring Boot apps and provides concrete header-based fixes with working codeGdpr: Clickjacking in Spring BootGDPR implications of clickjacking in Spring Boot and concrete remediation code examples including headers and CSP.Iso 27001: Clickjacking in Spring BootISO 27001 controls and Spring Boot headers to prevent clickjacking. Concrete filter and SecurityConfig examples.Cis: Clickjacking in Spring BootExplore clickjacking risks in Spring Boot, understand how missing framing headers expose endpoints, and apply concrete rClickjacking in Spring Boot with Bearer TokensClickjacking with Bearer Tokens in Spring Boot: risks and fixes including CSP frame-ancestors, CORS, and origin validatiClickjacking in Spring Boot with Hmac SignaturesClickjacking with Hmac Signatures in Spring Boot: risks and remediation including CSP, Hmac validation, and origin checkClickjacking in Spring Boot with Basic AuthUnderstand clickjacking risks in Spring Boot with Basic Auth and implement X-Frame-Options and CSP frame-ancestors for sClickjacking in Spring Boot with Api KeysUnderstand clickjacking in Spring Boot when APIs use keys and implement X-Frame-Options and CSP frame-ancestors for remeClickjacking in Spring Boot with CockroachdbUnderstanding clickjacking in Spring Boot with Cockroachdb and concrete remediation code examples.