How to avoid the Clickjacking vulnerability in AppManager ?

How to avoid the Clickjacking vulnerability in AppManager ?

To configure Content-Security-Policy header with frame-ancestors directive and combat click-jacking vulnerabilityApplications Manager supports option in UI to enable/disable this via setting.

Follow the steps as per the Applications Manager version : 
  1. v15250 and above
    Can be done directly from Applications Manager web console by enabling below option
    Open Admin -> Product Settings -> Security Settings.
    Security response headers
    Enable Security response Headers -> Modify and enable Content-Security-Policy and click Save.
    Note: For Applications Manager Plugin users, provide the OPManager url in http://<opm-host>:<opm-port> format by using + Add button.
  2. v13400 to v15240
    Follow the detailed steps listed below.
  3. Below v13400
    Upgrade to latest version of Applications Manager.


Steps for v13400 to v15240 : 
i. Navigate to 'APM_Home\working\WEB-INF\backup' and take a backup copy of the 'web.xml' file present there.
ii. In the web.xml file,search for the following line :

<!-- Uncomment the following code to enable protection against click jacking. -->

iii. Remove the starting '<!--' and trailing '-->' present beneath this line to uncomment the code used for preventing click jacking. The default code is used to prevent any type of frame activity.

Original :

<!-- Uncomment the following code to enable protection against click jacking. -->
<!--
<init-param>
<param-name>xFrameOptions</param-name>
<param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
        <param-name>contentSecurityPolicy</param-name>
            <param-value>frame-ancestors 'self'</param-value>
       </init-param>
-->

Modified :

<!-- Uncomment the following code to enable protection against click jacking. -->
<init-param>
<param-name>xFrameOptions</param-name>
<param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
        <param-name>contentSecurityPolicy</param-name>
            <param-value>frame-ancestors 'self'</param-value>
       </init-param>

iv. If the client is using APM as a Plugin build, then the client has to specify the OPM domain name instead of SAMEORIGIN as follows :

<init-param>
         <param-name>xFrameOptions</param-name>
         <param-value>ALLOW-FROM <source></param-value>
    </init-param>
    <init-param>
         <param-name>contentSecurityPolicy</param-name>
         <param-value>frame-ancestors <source>;</param-value>
    </init-param>

    Replace <source> with the domain from which the site can be accessed with in a frame.

Example :

<init-param>
            <param-name>xFrameOptions</param-name>
            <param-value>ALLOW-FROM https://example.com/</param-value>
        </init-param>
        <init-param>
            <param-name>contentSecurityPolicy</param-name>
            <param-value>frame-ancestors https://example.com/;</param-value>
        </init-param>

v. Save the file and restart the APM instance. Check if the issue is resolved.