Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Adding X-FRAME-OPTIONS to response on AEM 6.2

Avatar

Level 2
Level 2
3/10/17 7:42:31 AM

Hi guys, 

In AEM 6.2 release notes it says AEM has capability of adding X-FRAME-OPTIONS to response headers.

This is what is in docs:

  • Added configurable X-FRAME-OPTIONS header to avoid click-jacking

The documentation doesnt state where that can be configured.

Where can I configure that? On OSGI?

Thanks.        

Views

9.5K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
3/14/17 6:04:41 AM

Hi guys, 

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

            Let me know if you have any question.

            [1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

View solution in original post

Views

5.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Level 10
Level 10
3/13/17 8:40:44 AM

I found this:

To prevent clickjacking we recommend that you configure your webserver to provide the X-FRAME-OPTIONS HTTP header set to SAMEORIGIN.

For more information on clickjacking please see the OWASP site.

Which points to https://www.owasp.org/index.php/Clickjacking

Looks like this is configured at the web server level. 

Views

5.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
3/13/17 8:54:22 AM

Thanks Scott.

I will file a ticket and check the right approach.

Rgds,    

Views

5.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Administrator
Administrator
3/14/17 2:07:49 AM

Hi 

Please do Share this this the community for future references.

~kautuk



Kautuk Sahni

Views

5.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 2
Level 2
3/14/17 6:04:41 AM

Hi guys, 

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

            Let me know if you have any question.

            [1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

Views

5.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 3
Level 3
9/7/17 5:30:39 AM

Hi,

I have followed the instructions updated by you. But AEM still shows warn message in Operations Dashboard.

Kindly let me know if I need to configure else where in AEM to close this warn message in Operations Dashboard.

1294222_pastedImage_0.png

Note: I'm using AEM 6.1 with SP2 + CFP9

Thanks and Regards,

Ruben Fernando

Views

6.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Optimizing Daily API Calls in AEM: A Better Solution? Solved

Views

159

Likes

0

Replies

5
Replication Event Listener stopped working on AEMaaCS Publisher

Views

101

Likes

0

Replies

4
Create Content Fragment with more than one variations from Excel File

Views

64

Likes

0

Replies

0
RTE full options not appearing in minimized view AEM 6.5 cloud

Views

110

Likes

0

Replies

3
Redirects do not work with x-aem-client-country header

Views

105

Likes

0

Replies

1