4 Replies Latest reply on Apr 12, 2018 6:24 PM by Vahid Rahimi

    X-Frame-Options & Clickjacking

    Christopher Halbersma Newbie

      So we're using wildfly for some of our servers. Recently we ran a vulnerability scan against our machines and realized that we had a potential Click jacking issue. I'm trying to find out what to do to set X-Frame-Options. I know how to do it for other web servers but I can't seem to find the place to configure it it wildfly. I assume it will be in my /opt/wildfly/standalone/configuration/standalone.xml file somewhere. Can anyone point me in the right direction?

        • 1. Re: X-Frame-Options & Clickjacking
          Tomaz Cerar Master

          that would be undertow subsystem.

           

          you need to add custom header to response, see how currently custom headers are added for Server & X-powered-by

          • 2. Re: X-Frame-Options & Clickjacking
            Christopher Halbersma Newbie

            Tomaz,

             

            Can you point me in the right direction? Based on the Undertow Documentation it looks like I want to set a Header Handler. Would that be something that would get controlled in the code of the application or can I set that somewhere in my .xml settings file?

            • 3. Re: X-Frame-Options & Clickjacking
              m say Newbie

              why does all the response for wildfly related questions are so vague? Tomaz Cerar, if you know the answer, could you please be more specific on your answer? Yes, we know wildfly has something great called undertow subsystem.

              • 4. Re: X-Frame-Options & Clickjacking
                Vahid Rahimi Newbie

                        <subsystem xmlns="urn:jboss:domain:undertow:1.2">

                            <buffer-cache name="default"/>

                            <server name="default-server">

                                <http-listener name="default" socket-binding="http" max-post-size="999999999"/>

                 

                 

                                <host name="default-host" alias="localhost">

                                    <location name="/" handler="welcome-content"/>

                                    <filter-ref name="server-header"/>

                                    <filter-ref name="x-powered-by-header"/>

                                    <filter-ref name="xFrameOptions"/>

                                </host>

                            </server>

                ....

                            <filters>

                                <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>

                                <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>

                                <response-header name="xFrameOptions" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>

                            </filters>

                        </subsystem>