By default X-Frame-Optionsis set to denied, to prevent clickHymaningattacks. To override this, you can add the following into your spring security config

默认X-Frame-Options设置为拒绝，以防止点击劫持攻击。要覆盖它，您可以将以下内容添加到您的 spring 安全配置中

<http>    
    <headers>
        <frame-options policy="SAMEORIGIN"/>
    </headers>
</http>

Here are available options for policy

以下是可用的政策选项

• DENY- is a default value. With this the page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN- I assume this is what you are looking for, so that the page will be (and can be) displayed in a frame on the same origin as the page itself
• ALLOW-FROM- Allows you to specify an origin, where the page can be displayed in a frame.

• DENY- 是默认值。有了这个，页面不能显示在框架中，无论站点试图这样做。
• SAMEORIGIN- 我假设这就是您要查找的内容，以便页面将（并且可以）显示在与页面本身相同的框架中
• ALLOW-FROM- 允许您指定一个原点，页面可以显示在一个框架中。

For more information take a look here.

有关更多信息，请查看此处。

And hereto check how you can configure the headers using either XML or Java configs.

而在这里检查如何使用XML或Java的CONFIGS配置的标头。

Note, that you might need also to specify appropriate strategy, based on needs.

请注意，您可能还需要strategy根据需要指定适当的。

If you're using Java configs instead of XML configs, put this in your WebSecurityConfigurerAdapter.configure(HttpSecurity http)method:

如果您使用 Java 配置而不是 XML 配置，请将其放入您的WebSecurityConfigurerAdapter.configure(HttpSecurity http)方法中：

http.headers().frameOptions().disable();

Most likely you don't want to deactivate this Header completely, but use SAMEORIGIN. If you are using the Java Configs (Spring Boot) and would like to allow the X-Frame-Options: SAMEORIGIN, then you would need to use the following.

您很可能不想完全停用此 Header，而是使用SAMEORIGIN. 如果您正在使用 Java Configs ( Spring Boot) 并希望允许 X-Frame-Options: SAMEORIGIN，那么您需要使用以下内容。

For older Spring Security versions:

对于较旧的 Spring Security 版本：

http
   .headers()
       .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsHeaderWriter.XFrameOptionsMode.SAMEORIGIN))

For newer versions like Spring Security 4.0.2:

对于较新的版本，如Spring Security 4.0.2：

http
   .headers()
      .frameOptions()
         .sameOrigin();

If using XML configuration you can use

如果使用 XML 配置，您可以使用

<beans xmlns="http://www.springframework.org/schema/beans" 
       xmlns:security="http://www.springframework.org/schema/security"> 
<security:http>
    <security:headers>
         <security:frame-options disabled="true"></security:frame-options>
    </security:headers>
</security:http>
</beans>

If you're using Spring Boot, the simplest way to disable the Spring Security default headers is to use security.headers.*properties. In particular, if you want to disable the X-Frame-Optionsdefault header, just add the following to your application.properties:

如果您使用 Spring Boot，禁用 Spring Security 默认标头的最简单方法是使用security.headers.*属性。特别是，如果您想禁用X-Frame-Options默认标头，只需将以下内容添加到您的application.properties:

security.headers.frame=false

There is also security.headers.cache, security.headers.content-type, security.headers.hstsand security.headers.xssproperties that you can use. For more information, take a look at SecurityProperties.

还有security.headers.cache，security.headers.content-type，security.headers.hsts和security.headers.xss属性，您可以使用。有关更多信息，请查看SecurityProperties。

If you are using Spring Security's Java configuration, all of the default security headers are added by default. They can be disabled using the Java configuration below:

如果您使用的是 Spring Security 的 Java 配置，则默认情况下会添加所有默认安全标头。可以使用以下 Java 配置禁用它们：

@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends
   WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .headers().disable()
      ...;
  }
}