Expand my Community achievements bar.

SOLVED

Prevent Clickjacking, X-Frame-Options alone doesn't seem to be doing much

Avatar

Level 3

Hello!

 

I'm trying to fix an issue with clickjacking, and I was following this guide here: https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/getting-started/security...

 

It mentioned setting the X-FRAME-OPTIONS HTTP header to SAMEORIGIN.

 

By default, in our available vhost files, we already have this:

Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"

 

I'm confused why the clickjacking is still possible despite having this in our HTTP Header, would appreciate any help! Maybe we're missing something. 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor
4 Replies

Avatar

Community Advisor

Hi,

Can you check if you can see X-Frame-Options header in the response ?

 

However there is a cheat sheet to defend clickjacking

https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html 



Arun Patidar

Avatar

Level 3

I see X-Frame-Options on resources like client libraries or SVGs, but I don't see it on the main website itself. I don't really understand why this is happening.

 

I looked at the cheat sheet, and it looks like I would need to add CSP too? But I still don't understand why the X-Frame-Options doesn't seem to work. 

Avatar

Correct answer by
Community Advisor

You can set headers from vhost as well.

Please check example here : https://github.com/arunpatidar02/aemaacs-aemlab/blob/f96ce5316dfa4798c72d2e87d3a0b41fc49791a4/dispat... 



Arun Patidar