-
Suggestion
-
Resolution: Answered
-
None
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
Description: Current HTTP headers do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a "click" on a web application from another "invisible" frame in the browser. Essentially, an attacker can force a user to click on a button that is invisible to him/her.
Exploit Scenario: An attacker crafts a malicious page such that when their victim clicks, they are actually clicking on the link or button in the vulnerable application hosted in an iframe. Thus, an attacker tricks the user into performing an action of the attacker's choosing by directing mouse input to the target application.
Short Term Solution: There are 2 options in the HTTP response header for projection, include:
DENY: If the header contains the DENY option, then the response will not be loaded within a frame.
SAMEORIGIN: If the header contains the SAMEORIGIN option, the response will be loaded within a frame only if the parent page is from the same origin.
Examples below:
Apache:
Add this to your httpd.conf:
Header always append x-frame-options SAMEORIGIN
Note that this is not a panacea for clickjacking.
SAMEORIGIN should be safe to use. See also JST-5291
- is duplicated by
-
CONFSERVER-29230 UI Redressing (Clickjacking)
-
- Closed
-
- is related to
-
- Gathering Interest
- is superseded by
-
-
- Closed
-
- relates to
-
- Closed
- was cloned as
-
- Closed
Enable X-FRAME-Option in HTTP response headers in order to provide clickjacking protection
-
-
Resolution: Answered
-
None
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
Description: Current HTTP headers do not contain the X-FRAME-Option, which helps prevents against Clickjacking attacks. A Clickjacking attack is similar to CSRF in which attacker can hijack a "click" on a web application from another "invisible" frame in the browser. Essentially, an attacker can force a user to click on a button that is invisible to him/her.
Exploit Scenario: An attacker crafts a malicious page such that when their victim clicks, they are actually clicking on the link or button in the vulnerable application hosted in an iframe. Thus, an attacker tricks the user into performing an action of the attacker's choosing by directing mouse input to the target application.
Short Term Solution: There are 2 options in the HTTP response header for projection, include:
DENY: If the header contains the DENY option, then the response will not be loaded within a frame.
SAMEORIGIN: If the header contains the SAMEORIGIN option, the response will be loaded within a frame only if the parent page is from the same origin.
Examples below:
Apache:
Add this to your httpd.conf:
Header always append x-frame-options SAMEORIGIN
Note that this is not a panacea for clickjacking.
SAMEORIGIN should be safe to use. See also JST-5291
- is duplicated by
-
-
- Closed
-
- is related to
-
- Gathering Interest
- is superseded by
-
-
- Closed
-
- relates to
-
- Closed
- was cloned as
-
- Closed
-
Unassigned
-
VitalyA
- Votes:
-
0 Vote for this issue
- Watchers:
-
7 Start watching this issue
- Created:
- Updated:
- Resolved: