I already configured webSecurity like suggested here:
https://stackoverflow.com/questions/28647136/how-to-disable-x-frame-options-response-header-in-spring-security
and even tried workarounds from here:
https://github.com/spring-projects/spring-security/issues/8371
but it still says its set to deny whenever i try to do
<iframe src="/books/${this.book.bookId}.pdf" style="width:100%; height:100%;" frameborder="0"></iframe>
could cloudflare be messing with it?
Highly highly possible
Otherwise the code from stack overflow is correct, which you could easily verify locally by accessing the App via Browser and take a look at the send http headers
the iframe shows this
i enabled “developer mode” (which supposed to turn off all their stuff) but that didnt change anything
also couldnt find anything related to headers in cloudflare control panel
and not much questions about that online either so idk
Cloudflare should have a Rules category where you can e.g. modify headings to your liking called “Transform Rules” - at least it had in the past
i see the section, but there are no explicit rules set for that
i tried creating my own to force it into SAMEORIGIN but that didnt seem to work
Did you check if it was applied?
well it should be given how i indiscriminately apply it to all requests now
or what do you mean
Testing with you app and take a look what F12 / Developer console shows as header send in the network tab of the problematic iframe resource
I have a feeling that the request / response was cached looking at the 200 from above which also means that you never hit the server again to create a new header
Hard refresh or another browser could look different
ok for some reason it seems that all those files require auth
Everything is secured by default by spring boot if not specified otherwise 