4 Replies Latest reply on Apr 12, 2018 6:24 PM by vabara

    X-Frame-Options & Clickjacking

    christopher.halbersma

      So we're using wildfly for some of our servers. Recently we ran a vulnerability scan against our machines and realized that we had a potential Click jacking issue. I'm trying to find out what to do to set X-Frame-Options. I know how to do it for other web servers but I can't seem to find the place to configure it it wildfly. I assume it will be in my /opt/wildfly/standalone/configuration/standalone.xml file somewhere. Can anyone point me in the right direction?

        • 1. Re: X-Frame-Options & Clickjacking
          ctomc

          that would be undertow subsystem.

           

          you need to add custom header to response, see how currently custom headers are added for Server & X-powered-by

          • 2. Re: X-Frame-Options & Clickjacking
            christopher.halbersma

            Tomaz,

             

            Can you point me in the right direction? Based on the Undertow Documentation it looks like I want to set a Header Handler. Would that be something that would get controlled in the code of the application or can I set that somewhere in my .xml settings file?

            • 3. Re: X-Frame-Options & Clickjacking
              mustafasayem

              why does all the response for wildfly related questions are so vague? Tomaz Cerar, if you know the answer, could you please be more specific on your answer? Yes, we know wildfly has something great called undertow subsystem.

              • 4. Re: X-Frame-Options & Clickjacking
                vabara

                        <subsystem xmlns="urn:jboss:domain:undertow:1.2">

                            <buffer-cache name="default"/>

                            <server name="default-server">

                                <http-listener name="default" socket-binding="http" max-post-size="999999999"/>

                 

                 

                                <host name="default-host" alias="localhost">

                                    <location name="/" handler="welcome-content"/>

                                    <filter-ref name="server-header"/>

                                    <filter-ref name="x-powered-by-header"/>

                                    <filter-ref name="xFrameOptions"/>

                                </host>

                            </server>

                ....

                            <filters>

                                <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>

                                <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>

                                <response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>

                            </filters>

                        </subsystem>