Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

X-Frame-Options: SAMEORIGON

Avatar

Level 3

Hi,

 

Can someone please advise, where exactly where to add this X-Frame-Options: SAMEORIGON for AEM application. We want an external application to access an Adaptive Form or AEM sites page that adaptive form. The external application will be accessing the content url via IFrame. So we want to provide this

X-Frame-options.

 

But not sure how to add the line in the "publish-farm.any " or in any other file. 

 

Please advise what is the syntax and which file to add this X-Frame-Options for AEM applications.

 

Thank you

Eshwari

1 Accepted Solution

Avatar

Correct answer by
Adobe Champion

the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.

 

In our Managed Services deployment, this header is set by default:

 

Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"

 

x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.
See here for details of the x-frame-options header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options


From your question it sounds like you want to display the form within some other domain, so you may be better using newer content-security-policy header - this allows you to define a list of domains which are allowed to iframe your content.

 

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

 

An example from our config:

 

Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"

We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.

 

This is set in the publish.vhost file - more context of the config file:

 

<VirtualHost *:80>
ServerName publish
## Put names of which domains are used for your published site/content here
ServerAlias ${PUBLISH_DEFAULT_HOSTNAME}
ServerAlias ${PUBLISH_ASSETS_HOSTNAME}
## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
DocumentRoot ${PUBLISH_DOCROOT}

Header Set myconfig true
## Add header breadcrumbs for help in troubleshooting
<IfModule mod_headers.c>
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
#### Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>

 

View solution in original post

4 Replies

Avatar

Correct answer by
Adobe Champion

the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.

 

In our Managed Services deployment, this header is set by default:

 

Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"

 

x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.
See here for details of the x-frame-options header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options


From your question it sounds like you want to display the form within some other domain, so you may be better using newer content-security-policy header - this allows you to define a list of domains which are allowed to iframe your content.

 

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

 

An example from our config:

 

Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"

We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.

 

This is set in the publish.vhost file - more context of the config file:

 

<VirtualHost *:80>
ServerName publish
## Put names of which domains are used for your published site/content here
ServerAlias ${PUBLISH_DEFAULT_HOSTNAME}
ServerAlias ${PUBLISH_ASSETS_HOSTNAME}
## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
DocumentRoot ${PUBLISH_DOCROOT}

Header Set myconfig true
## Add header breadcrumbs for help in troubleshooting
<IfModule mod_headers.c>
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
#### Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>

 

Avatar

Community Advisor

Hi @Eshwarign ,

As I understood, In Apache you have security.conf file in a conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.

  1. Uncomment this setting and restart your Apache server.
  2. Copy and paste this setting in apache.conf file, uncomment it and restart your Apache server.
<IfModule mod_headers.c>
         Header merge X-Frame-Options SAMEORIGIN
        "expr=%{resp:X-Frame Options}!='SAMEORIGIN'"
</IfModule>

Reference: https://www.aemrules.com/2020/04/aem-security-headers.html?m=1

Hope that helps!

Regards,

Santosh

Avatar

Level 1

Hi Santosh,

 

What can we do in case of AEM Author ( as cloud service) where dispatcher module/configurations are only for publish instance?

Avatar

Community Advisor

x-frame-options header needs to be set in domain or publish vhost file. In your "domain.vhost" file, add Header merge X-Frame-Options SAMEORIGIN

 

Below is the example of vhost file with syntax:

 

<VirtualHost *:80>
ServerName "publish"
## Put names of which domains are used for your published site/content here
ServerAlias www.yourdomain.com publish-p<pid>-e<envid>.adobeaemcloud.com publish-p<pid>-e<envid>.adobeaemcloud.net

## Use a document root that matches the one in conf.dispatcher.d/default.farm
DocumentRoot "${DOCROOT}"
## Add header breadcrumbs for help in troubleshooting
<IfModule mod_headers.c>
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
</IfModule>
</VirtualHost>

 

Thanks,

Heena