X-Frame-Options: SAMEORIGON

Question

Hi,

Can someone please advise, where exactly where to add this X-Frame-Options: SAMEORIGON for AEM application. We want an external application to access an Adaptive Form or AEM sites page that adaptive form. The external application will be accessing the content url via IFrame. So we want to provide this

X-Frame-options.

But not sure how to add the line in the "publish-farm.any " or in any other file.

Please advise what is the syntax and which file to add this X-Frame-Options for AEM applications.

Thank you

Eshwari

martin_ecx_io · Accepted Answer

the x-frame-options header needs to be set in apache vhost config, rather than in the dispatcher farm configuration.

In our Managed Services deployment, this header is set by default:

Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame-Options}!='SAMEORIGIN'"

x-frame-options is somewhat limited however - SAMEORIGIN will only allow you to iframe the content if the domain of the site matches the domain of the AEM server.
See here for details of the x-frame-options header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

From your question it sounds like you want to display the form within some other domain, so you may be better using newer content-security-policy header - this allows you to define a list of domains which are allowed to iframe your content.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

An example from our config:

Header unset X-Frame-Options
Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"

We explicitly unset the x-frame-options header to ensure it doesn't cause unwanted behaviour, then set the CSP header.

This is set in the publish.vhost file - more context of the config file:

<VirtualHost *:80>
   ServerName publish
   ## Put names of which domains are used for your published site/content here
   ServerAlias    ${PUBLISH_DEFAULT_HOSTNAME} 
   ServerAlias    ${PUBLISH_ASSETS_HOSTNAME}
   ## Use a doc root that matches what's in the /etc/httpd/conf/publish-farm.any
   DocumentRoot   ${PUBLISH_DOCROOT}
   
   Header Set myconfig true
   ## Add header breadcrumbs for help in troubleshooting
   <IfModule mod_headers.c>
         Header always add X-Dispatcher ${DISP_ID}
         Header always add X-Vhost "publish"
            Header unset X-Frame-Options
            Header merge Content-Security-Policy "frame-ancestors 'self' *.domain.com *.domain.ie;"
         Header merge X-Content-Type-Options nosniff "expr=%{resp:X-Content-Type-Options}!='nosniff'"
      #### Make sure proxies don't deliver the wrong content
      Header append Vary User-Agent env=!dont-vary
   </IfModule>

SantoshSai · Answer

Hi @eshwarign ,As I understood, In Apache you have security.conf file in a conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.Uncomment this setting and restart your Apache server.Copy and paste this setting in apache.conf file, uncomment it and restart your Apache server. Header merge X-Frame-Options SAMEORIGIN "expr=%{resp:X-Frame Options}!='SAMEORIGIN'"Reference: https://www.aemrules.com/2020/04/aem-security-headers.html?m=1Hope that helps!Regards,Santosh

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded