Hello!
I'm trying to fix an issue with clickjacking, and I was following this guide here: https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/getting-started/security...
It mentioned setting the X-FRAME-OPTIONS HTTP header to SAMEORIGIN.
By default, in our available vhost files, we already have this:
Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
I'm confused why the clickjacking is still possible despite having this in our HTTP Header, would appreciate any help! Maybe we're missing something.
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
You can set headers from vhost as well.
Please check example here : https://github.com/arunpatidar02/aemaacs-aemlab/blob/f96ce5316dfa4798c72d2e87d3a0b41fc49791a4/dispat...
Hi,
Can you check if you can see X-Frame-Options header in the response ?
However there is a cheat sheet to defend clickjacking
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
I see X-Frame-Options on resources like client libraries or SVGs, but I don't see it on the main website itself. I don't really understand why this is happening.
I looked at the cheat sheet, and it looks like I would need to add CSP too? But I still don't understand why the X-Frame-Options doesn't seem to work.
You can set headers from vhost as well.
Please check example here : https://github.com/arunpatidar02/aemaacs-aemlab/blob/f96ce5316dfa4798c72d2e87d3a0b41fc49791a4/dispat...
Thanks!
Views
Likes
Replies