The anti-clickjacking X-Frame-Options header is not present
We're currently assessing ADSelfService Plus and it is failing a few of our security checks. The following alert has been raised:
Description:
It was identified that the assets contemplated not include security controls adequate to combat the user clicks theft attacks (Click-Jacking). This attack is to load the hosted web application in assets covered with an opaque layer over it, with fake buttons and links, so that clicking on them, the user is actually inadvertently clicking in the web application. This attack is especially dangerous if the user is authenticated on the contemplated web application, because the inadvertent clicks occur in the same area authenticated. |
Fix:
It is recommended that at least one of the two countermeasures to be taken: (i) inclusion of the X-Frame-Options in responding to HTTP requests field sent to the web server, or (ii) JavaScript code included in the web application that prevents the creation of frames in web application. |
I've found a few posts that discuss modifying the file conf\security-params.xml but this doesn't appear to be working. Has this process changed since these solutions were posted?
New to ADSelfService Plus?