Adobe Experience Manager Sites & More

Eshwarign · 7/13/22

Hi,

Can someone please advise, where exactly where to add this X-Frame-Options: SAMEORIGON for AEM application. We want an external application to access an Adaptive Form or AEM sites page that adaptive form. The external application will be accessing the content url via IFrame. So we want to provide this

X-Frame-options.

But not sure how to add the line in the "publish-farm.any " or in any other file.

Please advise what is the syntax and which file to add this X-Frame-Options for AEM applications.

Thank you

Eshwari

martin_ecx_io · 7/13/22

the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.

In our Managed Services deployment, this header is set by default:

Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"

x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.
See here for details of the x-frame-options header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

From your question it sounds like you want to display the form within some other domain, so you may be better using newer content-security-policy header - this allows you to define a list of domains which are allowed to iframe your content.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

An example from our config:

Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"

We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.

This is set in the publish.vhost file - more context of the config file:

<VirtualHost *:80>
   ServerName publish
   ## Put names of which domains are used for your published site/content here
   ServerAlias    ${PUBLISH_DEFAULT_HOSTNAME} 
   ServerAlias    ${PUBLISH_ASSETS_HOSTNAME}
   ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
   DocumentRoot   ${PUBLISH_DOCROOT}
   
   Header Set myconfig true
   ## Add header breadcrumbs for help in troubleshooting
   <IfModule mod_headers.c>
         Header always add X-Dispatcher ${DISP_ID}
         Header always add X-Vhost "publish"
            Header unset X-Frame-Options
            Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
         Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
      #### Make sure proxies don't deliver the wrong content
      Header append Vary User-Agent env=!dont-vary
   </IfModule>

View solution in original post

martin_ecx_io · 7/13/22

the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.

In our Managed Services deployment, this header is set by default:

Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"

x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.
See here for details of the x-frame-options header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

From your question it sounds like you want to display the form within some other domain, so you may be better using newer content-security-policy header - this allows you to define a list of domains which are allowed to iframe your content.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

An example from our config:

Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"

We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.

This is set in the publish.vhost file - more context of the config file:

<VirtualHost *:80>
   ServerName publish
   ## Put names of which domains are used for your published site/content here
   ServerAlias    ${PUBLISH_DEFAULT_HOSTNAME} 
   ServerAlias    ${PUBLISH_ASSETS_HOSTNAME}
   ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
   DocumentRoot   ${PUBLISH_DOCROOT}
   
   Header Set myconfig true
   ## Add header breadcrumbs for help in troubleshooting
   <IfModule mod_headers.c>
         Header always add X-Dispatcher ${DISP_ID}
         Header always add X-Vhost "publish"
            Header unset X-Frame-Options
            Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
         Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
      #### Make sure proxies don't deliver the wrong content
      Header append Vary User-Agent env=!dont-vary
   </IfModule>

SantoshSai · 7/13/22

Hi @Eshwarign ,

As I understood, In Apache you have security.conf file in a conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.

Uncomment this setting and restart your Apache server.
Copy and paste this setting in apache.conf file, uncomment it and restart your Apache server.

<IfModule mod_headers.c>
         Header merge X-Frame-Options SAMEORIGIN
        "expr=%{resp:X-Frame Options}!='SAMEORIGIN'"
</IfModule>

Reference: https://www.aemrules.com/2020/04/aem-security-headers.html?m=1

Hope that helps!

Regards,

Santosh

ShifGro · 8/7/23

Hi Santosh,

What can we do in case of AEM Author ( as cloud service) where dispatcher module/configurations are only for publish instance?

HeenaMadan · 7/13/22

x-frame-options header needs to be set in domain or publish vhost file. In your "domain.vhost" file, add Header merge X-Frame-Options SAMEORIGIN

Below is the example of vhost file with syntax:

<VirtualHost *:80>
ServerName "publish"
## Put names of which domains are used for your published site/content here
ServerAlias www.yourdomain.com publish-p<pid>-e<envid>.adobeaemcloud.com publish-p<pid>-e<envid>.adobeaemcloud.net

## Use a document root that matches the one in conf.dispatcher.d/default.farm
DocumentRoot "${DOCROOT}"
## Add header breadcrumbs for help in troubleshooting
<IfModule mod_headers.c>
Header always add X-Dispatcher ${DISP_ID}
Header always add X-Vhost "publish"
Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"
</IfModule>
</VirtualHost>

Thanks,

Heena

Adobe Experience Manager Sites & More

X-Frame-Options: SAMEORIGON

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe