Expand my Community achievements bar.

SOLVED

Adding X-FRAME-OPTIONS to response on AEM 6.2

Avatar

Level 2

Hi guys, 

In AEM 6.2 release notes it says AEM has capability of adding X-FRAME-OPTIONS to response headers.

This is what is in docs:

  • Added configurable X-FRAME-OPTIONS header to avoid click-jacking

The documentation doesnt state where that can be configured.

Where can I configure that? On OSGI?

Thanks.        

1 Accepted Solution

Avatar

Correct answer by
Level 2

Hi guys, 

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

            Let me know if you have any question.

            [1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

View solution in original post

5 Replies

Avatar

Level 10

I found this:

To prevent clickjacking we recommend that you configure your webserver to provide the X-FRAME-OPTIONS HTTP header set to SAMEORIGIN.

For more information on clickjacking please see the OWASP site.

Which points to https://www.owasp.org/index.php/Clickjacking

Looks like this is configured at the web server level. 

Avatar

Level 2

Thanks Scott.

I will file a ticket and check the right approach.

Rgds,    

Avatar

Administrator

Hi 

Please do Share this this the community for future references.

~kautuk



Kautuk Sahni

Avatar

Correct answer by
Level 2

Hi guys, 

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

            Let me know if you have any question.

            [1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

Avatar

Level 3

Hi,

I have followed the instructions updated by you. But AEM still shows warn message in Operations Dashboard.

Kindly let me know if I need to configure else where in AEM to close this warn message in Operations Dashboard.

1294222_pastedImage_0.png

Note: I'm using AEM 6.1 with SP2 + CFP9

Thanks and Regards,

Ruben Fernando