Uploaded image for project: 'Bitbucket Server'
  1. Bitbucket Server
  2. BSERV-9437

Enable X-FRAME-Options header to implement clickjacking protection



    • Suggestion
    • Status: Gathering Interest (View Workflow)
    • Resolution: Unresolved
    • None
    • Security - Other
    • None
    • 22
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.


      TLDR: Add X-FRAME-Options: SAMEORIGIN to all HTTP(S) pages (server config), and test that nothing breaks.

      Description: HTTP headers on requests that start with /plugins/servlet/ do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a "click" on a web application from another "invisible" frame in the browser. Essentially, an attacker can force a user to click on a button that is invisible to him/her.

      We already set the X-Frame-Options header for most URLs  exceptions are the login page and the /plugins/servlet/.* paths that are currently whitelisted.

      The header should be added to those paths too. 


      Exploit Scenario: An attacker crafts a malicious page such that when their victim clicks, they are actually clicking on the link or button in the vulnerable application hosted in an iframe. Thus, an attacker tricks the user into performing an action of the attacker's choosing by directing mouse input to the target application.


      Applying an additional header to the Apache HTTP server can mitigate this problem. Specifically using the SAMEORIGIN setting. If the header contains the SAMEORIGIN option, the response will be loaded within a frame only if the parent page is from the same origin.

      For Apache:

      1. Add this to your httpd.conf file:
        Header always setifempty X-Frame-Options SAMEORIGIN
      2. Ensure the headers module is enabled, the below is required in httpd.conf, or if using Ubuntu/Debian a2enmod headers will turn it on.
        LoadModule headers_module modules/mod_headers.so
      3. Restart Apache.

      Note that this is not a panacea for clickjacking. SAMEORIGIN should be safe to use and not provide any negative side-effects.


        Issue Links



              Unassigned Unassigned
              dcarcasole Daniele Carcasole (Inactive)
              11 Vote for this issue
              19 Start watching this issue