[Esapi-user] ESAPI ClickjackFilter and Spring 3 MVC

Michael Weber michael.weber35 at gmail.com
Mon Jan 27 22:20:15 UTC 2014

Hey all,

I am working on implementing the ESAPI ClickjackFilter using a Spring 3 MVC
application. However, the filter does not add the header even though the
call is being made. See the following code from the ESAPI ClickjackFilter:

               public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException


HttpServletResponse res = (HttpServletResponse)response;

chain.doFilter(request, response);

res.addHeader("X-FRAME-OPTIONS", mode );


I created a local copy of the ESAPI ClickjackFilter and modified my local
version to verify the header will not add after the “doFilter” call returns
from spring and it does not. I verified that that Spring had already
committed the HTTP Response which is why the header cannot be added. I also
verified that if the header is added before the “doFilter” call then the
header is added successfully. I am emailing to ask if anyone knows a way to
make the ESAPI ClickjackFilter work before I recommend using a custom
filter or spring interceptor? Any help is appreciated.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20140127/7c3482c6/attachment.html>

More information about the Esapi-user mailing list