How to avoid the Clickjacking vulnerability in AppManager ?

How to avoid the Clickjacking vulnerability in AppManager ?

To configure Content-Security-Policy header with frame-ancestors directive and combat click-jacking vulnerabilityApplications Manager supports option in UI to enable/disable this via setting.

Follow the steps as per the Applications Manager version : 
  1. v15250 and above
    Can be done directly from Applications Manager web console by enabling below option
    Open Admin -> Product Settings -> Security Settings.
    Security response headers
    Enable Security response Headers -> Modify and enable Content-Security-Policy and click Save.
    Note: For Applications Manager Plugin users, provide the OPManager url in http://<opm-host>:<opm-port> format by using + Add button.
  2. v13400 to v15240
    Follow the detailed steps listed below.
  3. Below v13400
    Upgrade to latest version of Applications Manager.


Steps for v13400 to v15240 : 
i. Navigate to 'APM_Home\working\WEB-INF\backup' and take a backup copy of the 'web.xml' file present there.
ii. In the web.xml file,search for the following line :

<!-- Uncomment the following code to enable protection against click jacking. -->

iii. Remove the starting '<!--' and trailing '-->' present beneath this line to uncomment the code used for preventing click jacking. The default code is used to prevent any type of frame activity.

Original :

<!-- Uncomment the following code to enable protection against click jacking. -->
<!--
<init-param>
<param-name>xFrameOptions</param-name>
<param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
        <param-name>contentSecurityPolicy</param-name>
            <param-value>frame-ancestors 'self'</param-value>
       </init-param>
-->

Modified :

<!-- Uncomment the following code to enable protection against click jacking. -->
<init-param>
<param-name>xFrameOptions</param-name>
<param-value>SAMEORIGIN</param-value>
        </init-param>
        <init-param>
        <param-name>contentSecurityPolicy</param-name>
            <param-value>frame-ancestors 'self'</param-value>
       </init-param>

iv. If the client is using APM as a Plugin build, then the client has to specify the OPM domain name instead of SAMEORIGIN as follows :

<init-param>
         <param-name>xFrameOptions</param-name>
         <param-value>ALLOW-FROM <source></param-value>
    </init-param>
    <init-param>
         <param-name>contentSecurityPolicy</param-name>
         <param-value>frame-ancestors <source>;</param-value>
    </init-param>

    Replace <source> with the domain from which the site can be accessed with in a frame.

Example :

<init-param>
            <param-name>xFrameOptions</param-name>
            <param-value>ALLOW-FROM https://example.com/</param-value>
        </init-param>
        <init-param>
            <param-name>contentSecurityPolicy</param-name>
            <param-value>frame-ancestors https://example.com/;</param-value>
        </init-param>

v. Save the file and restart the APM instance. Check if the issue is resolved.


                  New to ADSelfService Plus?

                    • Related Articles

                    • Update on the Apache Log4j Vulnerability

                      A high severity vulnerability ( CVE-2021-44228 ) impacting multiple versions of the Apache Log4j2 utility was disclosed publicly on December 9, 2021. The vulnerability impacts Apache Log4j2 versions below 2.15.0. You can find the details of this ...
                    • AppManager disk is full - I want to clear some space

                      Increased Applications Manager database utilization could have increased the Applications Manager Disk size. To clear some space, follow the steps below: 1. In the <AppManager_Home>\working\heapdump directory, check if any old files are present and ...
                    • How to perform manual update of Time in AppManager Plugin when it is not in sync with localhost time

                      If the Applications Manager Plugin time is not in sync with the local host time, follow the steps given below: 1. Open the startApplicationsManager.bat file (For Windows) or startApplicationsManager.sh file (For Linux) present under the ...
                    • How to change AppManager credentials/EUM API Key?

                      How to change AppManager credentials/EUM API Key in console mode or directly from file? For EUM Agent version 18 and above: Go to [EUM_HOME]/conf folder. Open AppServer.xml in a text editor. Remove encryptedKey attribute and add new attribute apikey ...
                    • How can I generate and import certificates into AppManager?

                      From v14260 : Option to create Certificate Signing Request (CSR) and import SSL certificate to Applications Manager are introduced in UI. Please refer Manage Certificates for detailed steps. Steps for Applications Manager below v14260 :  1. Open the ...