on 05-31-2017 4:01 PM
Hi all, we would like to use hybris as default denies being opened in an iFrame to prevent clickjacking by setting X-frame option to “SAMEORIGIN”.
• # setting 'X-Frame-Options=SAMEORIGIN' to prevent clickjacking attacks • # xss.filter.header.X-Frame-Options=SAMEORIGIN
Would it be a general problem if we would remove or deactivate this setting to use hybris in an iFrame within our application?
Thanks in advance for your support. BR Jörg
Hi Joerg,
According to Clickjacking Defense Cheat Sheet, you have three options for values for the X-Frame-Options header. The safest is DENY and so appears in Hybris as the default. But SAMEORIGIN should work, so long as your security quality attribute requirements allow for this X-Frame-Options header value.
--Greg
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As far as i know, it is the security violation, that the hybris by default recommends, even further it is set strictly with "cross domain origin" restriction. By allowing other domains renders the page inside the i-frame, you are agreed to the clickjacking attacks, as well as inturn referred cross-domain origin issues.
With my experience, we had created a filter that will set x-frame-options to allow-from only the certain domain that the third party want to load intheir i-frame.
You can set ALLOW-FROM *.salesforce.com" on the response header, please remember the default properties that are set by hybris engine, also get appended to the response header. So make sure you disable completely, and take control in the filter that intercepts all the requests coming to the application, and making sure you set the allow-from with specific domain - may atleast stop intruders.
I would check with the security audit experts once you confirm the solution.
Additional Note: please also pay attention to CSRF allowed URL patterns, that depends on your requirements, you can not submit or post any pages directly to hybris server, from i-frame (thirdparty domain , as CSRF restricts the application, and protects from clickjacking).
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
: Hi Joerg, Can you please explain both ways in detail where exactly we have to make configuration or what properties and in which property file we have to make chagnes? We need to acheive the cscokpit url open in iframe in third party website
Your help will be grateful to us. Thank & Regards, Amol
User | Count |
---|---|
5 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.