Hi,
Can someone please advise, where exactly where to add this X-Frame-Options: SAMEORIGON for AEM application. We want an external application to access an Adaptive Form or AEM sites page that adaptive form. The external application will be accessing the content url via IFrame. So we want to provide this
X-Frame-options.
But not sure how to add the line in the "publish-farm.any " or in any other file.
Please advise what is the syntax and which file to add this X-Frame-Options for AEM applications.
Thank you
Eshwari
Solved! Go to Solution.
Views
Replies
Total Likes
the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.
In our Managed Services deployment, this header is set by default:
Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.
See here for details of the x-frame-options header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
From your question it sounds like you want to display the form within some other domain, so you may be better using newer content-security-policy header - this allows you to define a list of domains which are allowed to iframe your content.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
An example from our config:
Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.
This is set in the publish.vhost file - more context of the config file:
<VirtualHost *:80>
ServerName publish
## Put names of which domains are used for your published site/content here
ServerAlias ${PUBLISH_DEFAULT_HOSTNAME}
ServerAlias ${PUBLISH_ASSETS_HOSTNAME}
## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
DocumentRoot ${PUBLISH_DOCROOT}
Header Set myconfig true
## Add header breadcrumbs for help in troubleshooting
<IfModule mod_headers.c>
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
#### Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.
In our Managed Services deployment, this header is set by default:
Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.
See here for details of the x-frame-options header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
From your question it sounds like you want to display the form within some other domain, so you may be better using newer content-security-policy header - this allows you to define a list of domains which are allowed to iframe your content.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
An example from our config:
Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.
This is set in the publish.vhost file - more context of the config file:
<VirtualHost *:80>
ServerName publish
## Put names of which domains are used for your published site/content here
ServerAlias ${PUBLISH_DEFAULT_HOSTNAME}
ServerAlias ${PUBLISH_ASSETS_HOSTNAME}
## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
DocumentRoot ${PUBLISH_DOCROOT}
Header Set myconfig true
## Add header breadcrumbs for help in troubleshooting
<IfModule mod_headers.c>
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
#### Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>
Hi @Eshwarign ,
As I understood, In Apache you have security.conf file in a conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.
<IfModule mod_headers.c> Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame Options}!='SAMEORIGIN'" </IfModule>
Reference: https://www.aemrules.com/2020/04/aem-security-headers.html?m=1
Hope that helps!
Regards,
Santosh
Hi Santosh,
What can we do in case of AEM Author ( as cloud service) where dispatcher module/configurations are only for publish instance?
Views
Replies
Total Likes
x-frame-options header needs to be set in domain or publish vhost file. In your "domain.vhost" file, add Header merge X-Frame-Options SAMEORIGIN
Below is the example of vhost file with syntax:
<VirtualHost *:80>
ServerName "publish"
## Put names of which domains are used for your published site/content here
ServerAlias www.yourdomain.com publish-p<pid>-e<envid>.adobeaemcloud.com publish-p<pid>-e<envid>.adobeaemcloud.net
## Use a document root that matches the one in conf.dispatcher.d/default.farm
DocumentRoot "${DOCROOT}"
## Add header breadcrumbs for help in troubleshooting
<IfModule mod_headers.c>
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
</IfModule>
</VirtualHost>
Thanks,
Heena
Views
Likes
Replies
Views
Likes
Replies
Views
Likes
Replies