Change headers for dynamic resource?

Is it possible to change the headers response of a dynamic resource?

In my case I am adding an iframe and setting the src to my html file (the dynamic resource). However my customer on vaadin 14 when using this code, experiences Refused to display 'http://localhost:9090/' in a frame because it set 'X-Frame-Options' to 'deny'. and thus failing to display the content of the iframe.
Now as a workaround for this I thought of changing that header from deny to same origin. Can someone help me with this?

I am using vaadin 22 and not experiencing this issue, should I force my customer to simply upgrade? Or can you guys update vaadin 14 and set that header to same origin by default?

I doubt that Vaadin is doing that header, sounds like spring boot or some other in-between stack you are using… if you can’t change that value in your app, the reverse Proxy in front can always overwrite it

(upgrading is nevertheless the best option)

@quirky-zebra Yes found it its sprong boot: https://docs.spring.io/spring-security/reference/features/exploits/headers.html

Not sure why they set it to deny though instead of same origin

Security.

but its a bit overpotective if you dont trust the iframes of your own developers

Security should be based on Zero Trust - even my own developers are not trust worthy.

True but creating a clickhighjacking iframe must be very obvious.

Just saw that its ossible via invisible overlay damn