Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Adding X-FRAME-OPTIONS to response on AEM 6.2

svenancio-3shar
Level 1
Level 1

Hi guys, 

In AEM 6.2 release notes it says AEM has capability of adding X-FRAME-OPTIONS to response headers.

This is what is in docs:

  • Added configurable X-FRAME-OPTIONS header to avoid click-jacking

The documentation doesnt state where that can be configured.

Where can I configure that? On OSGI?

Thanks.        

1 Accepted Solution
svenancio-3shar
Correct answer by
Level 1
Level 1

Hi guys, 

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

            Let me know if you have any question.

            [1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

View solution in original post

5 Replies
smacdonald2008
Level 10
Level 10

I found this:

To prevent clickjacking we recommend that you configure your webserver to provide the X-FRAME-OPTIONS HTTP header set to SAMEORIGIN.

For more information on clickjacking please see the OWASP site.

Which points to https://www.owasp.org/index.php/Clickjacking

Looks like this is configured at the web server level. 

svenancio-3shar
Level 1
Level 1

Thanks Scott.

I will file a ticket and check the right approach.

Rgds,    

kautuk_sahni
Community Manager
Community Manager

Hi 

Please do Share this this the community for future references.

~kautuk

svenancio-3shar
Correct answer by
Level 1
Level 1

Hi guys, 

Follows what Adobe responded:

Could you please open this page [1] and review the property "Additional response headers"? Add the value "X-Frame-Options=SAMEORIGIN" and validate.

            Let me know if you have any question.

            [1] http://<host>:<port>/system/console/configMgr/org.apache.sling.engine.impl.SlingMainServlet

Also , an image of the configuration:

https://www.screencast.com/t/1Tf6AAZGaAG

Hope that helps community.

Tks.

View solution in original post

rubenf42159101
Level 3
Level 3

Hi,

I have followed the instructions updated by you. But AEM still shows warn message in Operations Dashboard.

Kindly let me know if I need to configure else where in AEM to close this warn message in Operations Dashboard.

1294222_pastedImage_0.png

Note: I'm using AEM 6.1 with SP2 + CFP9

Thanks and Regards,

Ruben Fernando