Hi guys, In AEM 6.2 release notes it says AEM has capability of adding X-FRAME-OPTIONS to response headers.This is what is in docs:Added configurable X-FRAME-OPTIONS header to avoid click-jackingThe documentation doesnt state where that can be configured.Where can I configure that? On OSGI?Thanks.

svenancio-3shar

Level 2

Solved

Adding X-FRAME-OPTIONS to response on AEM 6.2

Forum|Forum|8 years ago
March 10, 2017
5 replies
10151 views

Hi guys,

In AEM 6.2 release notes it says AEM has capability of adding X-FRAME-OPTIONS to response headers.

This is what is in docs:

Added configurable X-FRAME-OPTIONS header to avoid click-jacking

The documentation doesnt state where that can be configured.

Where can I configure that? On OSGI?

Thanks.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by svenancio-3shar

Hi guys,

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

Let me know if you have any question.

[1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

smacdonald2008

Level 10

I found this:

To prevent clickjacking we recommend that you configure your webserver to provide the X-FRAME-OPTIONS HTTP header set to SAMEORIGIN.

For more information on clickjacking please see the OWASP site.

Which points to https://www.owasp.org/index.php/Clickjacking

Looks like this is configured at the web server level.

svenancio-3sharAuthor

Level 2

Thanks Scott.

I will file a ticket and check the right approach.

Rgds,

kautuk_sahni

Community Manager

Hi

Please do Share this this the community for future references.

~kautuk

Kautuk Sahni

svenancio-3sharAuthorAccepted solution

Level 2

Hi guys,

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

Let me know if you have any question.

[1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

rubenf42159101

Level 2

Hi,

I have followed the instructions updated by you. But AEM still shows warn message in Operations Dashboard.

Kindly let me know if I need to configure else where in AEM to close this warn message in Operations Dashboard.

Note: I'm using AEM 6.1 with SP2 + CFP9

Thanks and Regards,

Ruben Fernando

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded