HIGH clickjackingspring bootapi keys

Clickjacking in Spring Boot with Api Keys

Scan for clickjacking in spring boot

Clickjacking in Spring Boot with Api Keys — how this specific combination creates or exposes the vulnerability

Clickjacking is a client-side UI redressing attack where an attacker tricks a user into interacting with a hidden or disguised element inside an invisible or disguised frame. In a Spring Boot application that relies on API keys for authentication, embedding protected endpoints inside frames or iframes can expose key-based flows to clickjacking, especially when defenses are incomplete.

When an API key is used for authentication—typically passed via request headers or query parameters—a protected endpoint may still render a page that can be framed. If the response does not set appropriate frame-denial headers (e.g., X-Frame-Options or Content-Security-Policy: frame-ancestors), an attacker can load that page inside an invisible iframe. A user who is already authenticated (for example, via session cookies after a key-based login) may inadvertently trigger actions or reveal sensitive data when interacting with the attacker’s page, because the browser sends credentials automatically.

Consider a Spring Boot controller that accepts an API key as a header and returns an HTML page with embedded widgets or status panels. If that page is served with a permissive frame policy, an attacker can craft a page that overlays invisible controls on top of legitimate UI elements. For example:

@RestController
@RequestMapping("/api/report")
public class ReportController {

    @GetMapping
    public String generateReport(@RequestHeader("X-API-Key") String apiKey, Model model) {
        // vulnerable: returns HTML that can be framed without frame-ancestors policy
        model.addAttribute("data", fetchReportData(apiKey));
        return "report"; // Thymeleaf template
    }
}

If the report template does not instruct the browser to prevent framing, and the user’s browser includes the API-key-authenticated session, an attacker can overlay buttons or links on a fake page that submit requests to the real endpoint. This can lead to unauthorized actions or leakage of key-associated data, particularly when the API key is tied to elevated permissions or long-lived tokens.

Additionally, if the application exposes an unauthenticated endpoint that still reveals sensitive information and is missing frame-ancestor restrictions, an attacker can combine that with social engineering to make the user believe they are interacting with a legitimate widget while the request is being performed in the background. The combination of API-key-based auth and missing frame controls creates a scenario where trust is placed in headers and cookies that can be exploited within malicious contexts.

Api Keys-Specific Remediation in Spring Boot — concrete code fixes

Remediation focuses on preventing framing of authenticated responses and ensuring that API-key-requiring endpoints are not inadvertently embeddable. Two complementary headers provide strong defense in depth.

1. X-Frame-Options

Set a global filter or controller advice to add X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN. DENY is preferred for API-driven pages that should never be framed.

@Configuration
public class SecurityConfig {

    @Bean
    public FilterRegistrationBean xFrameOptionsFilter() {
        FilterRegistrationBean registration = new FilterRegistrationBean<>();
        registration.setFilter(new XFrameOptionsFilter());
        registration.addUrlPatterns("/api/*");
        registration.addInitParameter("policy", "DENY");
        return registration;
    }

    public class XFrameOptionsFilter extends OncePerRequestFilter {
        @Override
        protected void doFilterInternal(HttpServletRequest request,
                                        HttpServletResponse response,
                                        FilterChain filterChain) throws ServletException, IOException {
            response.setHeader("X-Frame-Options", "DENY");
            filterChain.doFilter(request, response);
        }
    }
}

2. Content-Security-Policy frame-ancestors

For modern browsers, use Content-Security-Policy: frame-ancestors to explicitly control which origins can embed the page. For API-only responses, you can restrict framing to none.

@Configuration
public class SecurityConfig {

    @Bean
    public FilterRegistrationBean cspFrameAncestorsFilter() {
        FilterRegistrationBean registration = new FilterRegistrationBean<>();
        registration.setFilter(new CspFrameAncestorsFilter());
        registration.addUrlPatterns("/api/*");
        registration.addInitParameter("policy", "'none'");
        return registration;
    }

    public class CspFrameAncestorsFilter extends OncePerRequestFilter {
        @Override
        protected void doFilterInternal(HttpServletRequest request,
                                        HttpServletResponse response,
                                        FilterChain filterChain) throws ServletException, IOException {
            response.setHeader("Content-Security-Policy", "frame-ancestors 'none'");
            filterChain.doFilter(request, response);
        }
    }
}

If the application serves both HTML and API responses, scope the filters to endpoints that render pages or use a more granular expression. For endpoints that return JSON and are not intended for browser embedding, the headers still help prevent misuse in edge cases where responses are loaded in error pages.

Ensure that API keys are transmitted securely via headers (not query parameters where possible) and that responses requiring authentication are not served with permissive framing policies. Combining these headers with HTTPS and strict CORS rules further reduces risk.

Scan for clickjacking in spring boot Free API security scan

Frequently Asked Questions

Does middleBrick detect clickjacking risks in API responses?
Yes. middleBrick runs security checks including UI redress risks where relevant. To scan an endpoint, you can use the CLI: scan from terminal with middlebrick scan . The dashboard also tracks findings across scans.
Can the GitHub Action fail builds if a framing misconfiguration is found?
Yes. With the Pro plan, you can add API security checks to your CI/CD pipeline using the GitHub Action. You can configure it to fail builds if risk scores drop below your threshold or if specific findings, such as missing frame-ancestors policies, are detected.

Related Pages

Clickjacking in Spring BootLearn how clickjacking attacks target Spring Boot applications and how to detect and prevent them using Spring Security Clickjacking with Api KeysHow clickjacking attacks steal API keys through framed interfaces and how to detect and prevent these vulnerabilities usClickjacking in Spring Boot on Fly IoUnderstand clickjacking risks in Spring Boot exposed via Fly Io and implement concrete header-based fixes with code examClickjacking in Spring Boot on SupabaseAnalyzing clickjacking risks when Spring Boot integrates Supabase; concrete CSP and X-Frame-Options fixes with code examClickjacking in Spring Boot on RailwayDetect and remediate clickjacking in Spring Boot apps on Railway with frame-protection headers and secure coding practicHipaa: Clickjacking in Spring BootExplains clickjacking risks for HIPAA-facing Spring Boot apps and provides concrete header-based fixes with working codeGdpr: Clickjacking in Spring BootGDPR implications of clickjacking in Spring Boot and concrete remediation code examples including headers and CSP.Iso 27001: Clickjacking in Spring BootISO 27001 controls and Spring Boot headers to prevent clickjacking. Concrete filter and SecurityConfig examples.Cis: Clickjacking in Spring BootExplore clickjacking risks in Spring Boot, understand how missing framing headers expose endpoints, and apply concrete rClickjacking in Spring Boot with FirestoreClickjacking in Spring Boot with Firestore: risks and remediation, including CSP headers and Firestore request validatioClickjacking in Spring Boot with DynamodbClickjacking in Spring Boot with DynamoDB: causes and remediation, including CSP and X-Frame-Options code examplesClickjacking in Spring Boot with CockroachdbUnderstanding clickjacking in Spring Boot with Cockroachdb and concrete remediation code examples.