问题描述

我正在研究各种可用的解决方案，以防止grails应用程序中的点击劫持.解决方案之一是使用X-Frame.因此，我找到了 mrhaki编写的grails插件 X-Frame-Options插件.em>.

I was going through different solutions available for preventing clickjacking in a grails application. One of the solutions was using X-Frame. So, I found a grails plugin, X-Frame-Options Plugin, by mrhaki.

添加响应标头是我的目的

It is serving my purpose of adding a response header

每个回应.太好了！

我读到有一个现代的解决方案-Content-Security-Policy标头.我无法为我的Grails应用程序配置它.有人可以帮忙吗?

I read there was a modern solution - Content-Security-Policy header. I'm unable to configure this for my Grails application. Could someone help?

推荐答案

X-Frame-Options插件很简单，它插入Servlet过滤器以向请求添加标头.根据您的情况，建议您创建自己的servlet过滤器以添加Content-Security-Policy标头.

The X-Frame-Options plugin is simple and inserts a servlet filter to add a header to requests. For your situation I'd recommend creating your own servlet filter to add the Content-Security-Policy headers.

您可以在此处看到有关如何添加标头的示例: https://github.com/mrhaki/grails-x-frame-options-plugin/blob/df230a9f01cd2e1c6ac4be6d9eac41fbcae48293/src/main/groovy/com/mrhaki/grailss/plugin/xframeoptionweb/XFrameOptionsFilter.groovy#L69

You can see an example here of how to add a header:https://github.com/mrhaki/grails-x-frame-options-plugin/blob/df230a9f01cd2e1c6ac4be6d9eac41fbcae48293/src/main/groovy/com/mrhaki/grails/plugin/xframeoptions/web/XFrameOptionsFilter.groovy#L69

另一种选择是在应用程序的前端使用Web服务器(Apache httpd或nginx)添加标头.

Another option would be to use your web server infront of your app (apache httpd or nginx) to add the headers.