Refused to display <url> in a frame because it set 'X-Frame-Options' to 'deny'.

I already configured webSecurity like suggested here:
https://stackoverflow.com/questions/28647136/how-to-disable-x-frame-options-response-header-in-spring-security
and even tried workarounds from here:
https://github.com/spring-projects/spring-security/issues/8371
but it still says its set to deny whenever i try to do

<iframe src="/books/${this.book.bookId}.pdf" style="width:100%; height:100%;" frameborder="0"></iframe>

could cloudflare be messing with it?

Highly highly possible

Otherwise the code from stack overflow is correct, which you could easily verify locally by accessing the App via Browser and take a look at the send http headers

the iframe shows this
image.png

i enabled “developer mode” (which supposed to turn off all their stuff) but that didnt change anything

also couldnt find anything related to headers in cloudflare control panel

and not much questions about that online either so idk

Cloudflare should have a Rules category where you can e.g. modify headings to your liking called “Transform Rules” - at least it had in the past

i see the section, but there are no explicit rules set for that

i tried creating my own to force it into SAMEORIGIN but that didnt seem to work

Did you check if it was applied?

well it should be given how i indiscriminately apply it to all requests now
image.png

or what do you mean

Testing with you app and take a look what F12 / Developer console shows as header send in the network tab of the problematic iframe resource

image.png

I have a feeling that the request / response was cached looking at the 200 from above which also means that you never hit the server again to create a new header

Hard refresh or another browser could look different

ok for some reason it seems that all those files require auth

Everything is secured by default by spring boot if not specified otherwise :sweat_smile: