I have developed my application on AEM6.4 and now I need to access my application by another application through iframe, when I am trying to access my AEM application through iframe, I am getting below error:
as expected X-Frame-Options: SAMEORIGON
I have updated configuration at dispatcher level like:
X-Frame-Options: ALLOW-FROM https://mynonaemapplication.com
but after updating like this, it allows to all other applications to access my AEM application by iframe and looks like not recommended or not secure.
Please advice how can I access my AEM application by other application through iframe.
Solved! Go to Solution.
try checking on the Apache Sling Referrer filter where in you can restrict who get to access your AEM env.
To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to add configurations for the Referrer filter in order to use it.
The referrer filter service is an OSGi service that allows you to configure:
which http methods should be filtered
whether an empty referrer header is allowed
and a list of servers to be allowed in addition to the server host.
By default, all variations of localhost and the current host names the server is bound to are in the list.
thanks Abdul, in our case we are using multitenant architecture and three applications running on the same AEM instance, is it safe to do update on OSGI level?