Prevent Clickjacking, X-Frame-Options alone doesn't seem to be doing much | Community
Skip to main content
I
IshaJa
Level 2
November 6, 2023
Solved

Prevent Clickjacking, X-Frame-Options alone doesn't seem to be doing much

  • November 6, 2023
  • 1 reply
  • 1828 views

Hello!

 

I'm trying to fix an issue with clickjacking, and I was following this guide here: https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/getting-started/security-checklist.html?lang=en

 

It mentioned setting the X-FRAME-OPTIONS HTTP header to SAMEORIGIN.

 

By default, in our available vhost files, we already have this:

Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"

 

I'm confused why the clickjacking is still possible despite having this in our HTTP Header, would appreciate any help! Maybe we're missing something. 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

arunpatidar
Community Advisor
arunpatidarCommunity Advisor
Community Advisor
November 6, 2023

Hi,

Can you check if you can see X-Frame-Options header in the response ?

 

However there is a cheat sheet to defend clickjacking

https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html 

Arun Patidar
    I
    IshaJaAuthor
    Level 2
    November 6, 2023

    I see X-Frame-Options on resources like client libraries or SVGs, but I don't see it on the main website itself. I don't really understand why this is happening.

     

    I looked at the cheat sheet, and it looks like I would need to add CSP too? But I still don't understand why the X-Frame-Options doesn't seem to work. 

      arunpatidar
      Community Advisor
      arunpatidarCommunity AdvisorAccepted solution
      Community Advisor
      November 7, 2023

      You can set headers from vhost as well.

      Please check example here : https://github.com/arunpatidar02/aemaacs-aemlab/blob/f96ce5316dfa4798c72d2e87d3a0b41fc49791a4/dispatcher.cloud/src/conf.d/available_vhosts/aemlab.vhost#L39 

      Arun Patidar
        Terms & ConditionsAccessibility statement

        Loading footer...