Our application uses a Tomcat web service to build partial views and insert them into a third-party web program
However, as of a major codebase upgrade from Tomcat 7 to Tomcat 10.1, the display is getting blocked by the X-Frame options, which are always listed as DENY
I updated the Tomcat web.xml to add the httpHeaderSecurity
Other SO questions said this was the fix, but the X-Frame-Options header didn't change, so I think I'm missing something
Currently our filter reads as such:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>ALLOW-FROM</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingUri</param-name>
<param-value>{Main web application URI}</param-value>
</init-param>
<init-param>
<param-name>xssProtectionEnabled</param-name>
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>