xframe fix new (#5580)

# Description of Changes

<!--
Please provide a summary of the changes, including:

- What was changed
- Why the change was made
- Any challenges encountered

Closes #(issue_number)
-->

---

## Checklist

### General

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have read the [Stirling-PDF Developer
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md)
(if applicable)
- [ ] I have read the [How to add new languages to
Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md)
(if applicable)
- [ ] I have performed a self-review of my own code
- [ ] My changes generate no new warnings

### Documentation

- [ ] I have updated relevant docs on [Stirling-PDF's doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
(if functionality has heavily changed)
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)

### Translations (if applicable)

- [ ] I ran
[`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md)

### UI Changes (if applicable)

- [ ] Screenshots or videos demonstrating the UI changes are attached
(e.g., as comments or direct attachments in the PR)

### Testing (if applicable)

- [ ] I have tested my changes locally. Refer to the [Testing
Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing)
for more details.

app/common/src/main/java/stirling/software/common/model/ApplicationProperties.java

@@ -164,6 +164,7 @@ public class ApplicationProperties {
         private String customGlobalAPIKey;
         private Jwt jwt = new Jwt();
         private Validation validation = new Validation();
+        private String xFrameOptions = "DENY";
 
         public Boolean isAltLogin() {
             return saml2.getEnabled() || oauth2.getEnabled();

app/core/src/main/resources/settings.yml.template

@@ -81,6 +81,7 @@ security:
     revocation:
       mode: none # Revocation checking mode: 'none' (disabled), 'ocsp' (OCSP only), 'crl' (CRL only), 'ocsp+crl' (OCSP with CRL fallback)
       hardFail: false # Fail validation if revocation status cannot be determined (true=strict, false=soft-fail)
+  xFrameOptions: DENY # X-Frame-Options header value. Options: 'DENY' (default, prevents all framing), 'SAMEORIGIN' (allows framing from same domain), 'DISABLED' (no X-Frame-Options header sent). Note: automatically set to DISABLED when login is disabled
 
 premium:
   key: 00000000-0000-0000-0000-000000000000

app/proprietary/src/main/java/stirling/software/proprietary/security/configuration/SecurityConfiguration.java

@@ -201,6 +201,31 @@ public class SecurityConfiguration {
 
         http.csrf(CsrfConfigurer::disable);
 
+        // Configure X-Frame-Options based on settings.yml configuration
+        // When login is disabled, automatically disable X-Frame-Options to allow embedding
+        if (!loginEnabledValue) {
+            http.headers(headers -> headers.frameOptions(frameOptions -> frameOptions.disable()));
+        } else {
+            String xFrameOption = securityProperties.getXFrameOptions();
+            if (xFrameOption != null) {
+                http.headers(headers -> {
+                    if ("DISABLED".equalsIgnoreCase(xFrameOption)) {
+                        headers.frameOptions(frameOptions -> frameOptions.disable());
+                    } else if ("SAMEORIGIN".equalsIgnoreCase(xFrameOption)) {
+                        headers.frameOptions(frameOptions -> frameOptions.sameOrigin());
+                    } else {
+                        // Default to DENY
+                        headers.frameOptions(frameOptions -> frameOptions.deny());
+                    }
+                });
+            } else {
+                // If not configured, use default DENY
+                http.headers(headers ->
+                    headers.frameOptions(frameOptions -> frameOptions.deny())
+                );
+            }
+        }
+
         if (loginEnabledValue) {
 
             http.addFilterBefore(

frontend/public/locales/en-GB/translation.toml

@@ -4527,6 +4527,13 @@ description = "Maximum number of failed login attempts before account lockout"
 label = "Login Reset Time (minutes)"
 description = "Time before failed login attempts are reset"
 
+[admin.settings.security.xFrameOptions]
+label = "X-Frame-Options"
+description = "Controls whether the application can be embedded in iframes"
+deny = "Deny (Prevents all framing)"
+sameorigin = "Same Origin (Allow framing from same domain)"
+disabled = "Disabled (No X-Frame-Options header)"
+
 [admin.settings.security.csrfDisabled]
 label = "Disable CSRF Protection"
 description = "Disable Cross-Site Request Forgery protection (not recommended)"

frontend/src/proprietary/components/shared/config/configSections/AdminSecuritySection.tsx

@@ -16,6 +16,7 @@ interface SecuritySettingsData {
   loginMethod?: string;
   loginAttemptCount?: number;
   loginResetTimeMinutes?: number;
+  xFrameOptions?: string;
   jwt?: {
     persistence?: boolean;
     enableKeyRotation?: boolean;
@@ -125,6 +126,7 @@ export default function AdminSecuritySection() {
         'security.loginMethod': securitySettings.loginMethod,
         'security.loginAttemptCount': securitySettings.loginAttemptCount,
         'security.loginResetTimeMinutes': securitySettings.loginResetTimeMinutes,
+        'security.xFrameOptions': securitySettings.xFrameOptions,
         // JWT settings
         'security.jwt.persistence': securitySettings.jwt?.persistence,
         'security.jwt.enableKeyRotation': securitySettings.jwt?.enableKeyRotation,
@@ -280,6 +282,27 @@ export default function AdminSecuritySection() {
               disabled={!loginEnabled}
             />
           </div>
+
+          <div>
+            <Select
+              label={
+                <Group gap="xs">
+                  <span>{t('admin.settings.security.xFrameOptions.label', 'X-Frame-Options')}</span>
+                  <PendingBadge show={isFieldPending('xFrameOptions')} />
+                </Group>
+              }
+              description={t('admin.settings.security.xFrameOptions.description', 'Controls whether the application can be embedded in iframes')}
+              value={settings?.xFrameOptions || 'DENY'}
+              onChange={(value) => setSettings({ ...settings, xFrameOptions: value || 'DENY' })}
+              data={[
+                { value: 'DENY', label: t('admin.settings.security.xFrameOptions.deny', 'Deny (Prevents all framing)') },
+                { value: 'SAMEORIGIN', label: t('admin.settings.security.xFrameOptions.sameorigin', 'Same Origin (Allow framing from same domain)') },
+                { value: 'DISABLED', label: t('admin.settings.security.xFrameOptions.disabled', 'Disabled (No X-Frame-Options header)') },
+              ]}
+              comboboxProps={{ zIndex: 1400 }}
+              disabled={!loginEnabled}
+            />
+          </div>
         </Stack>
       </Paper>