How do I add 'X-Frame-Options' directive.

Hi, we have an AWS cloud based JAVA installation of Outsystems and I am looking at how we can restrict Outsystems applications being embedded in an iframe in other applications.

I know we can use the 'frame-ancestors' and/or the 'X-Frame-Options' directives to achieve what we need and I have successfully managed to get the 'frame-ancestors' one to work through the  Platform security settings (Content-Security-Policy). However this works on Chrome, but doesn't work in IE.

So to solve, I want to also use the 'X-Frame-Options' directive and understand that it can be added via the 'Factory Configurations' module (from the Forge). I have downloaded Factory Configurations and tried updating the using the Shared Configurations, but without success. 

Has anyone tried this before, and can advise me on what to do.

Thanks

Neil



Hi Neil,

Did you check the HTTPRequestHandler extention's AddHeader action? Or are you looking for a more generic approach?

Hey Neil,

It seems that Internet Explorer doesn't fully support Content Security Policy directives. You can check the supported directives here: https://content-security-policy.com

We are following the standards so that the browsers seamlessly support Content Security Policy headers added to OutSystems applications but, unfortunately, we cannot ensure that every browser supports every directive.

Let me know if you need any additional clarification.

By the way, thank you for your contribution Kilian!

Regards

Thanks Kilian and Lara for you replies.

In respect of what we need then the HTTPRequestHandler extention AddHeader action satisfies the requirements. By using the 'frame-ancestors' (via LifeTime) and the 'X-Frame-Headers' in the application it will cover pretty much all browsers. So I have a solution I can take forward.

By the way, this query is similar to a number of other platform configuration investigations we have done, so I guess I started out to look at how we could manage this directive through Configuration change as opposed to application code change.

Anyway, I now have a way forward so thanks again to you both 


Glad I could be of help. Good luck with your project.

We had used AddHeader or AddMetaTag method of HTTPRequestHandler extention for X-Frame-Options with value deny or SAMEORIGIN but then also security tool is showning us X-Frame-Options Header Not Set alert in report summary.Can any one help me how to resolve this security issue.

Hey Hemlata,

What browser are you using? Did you check if the X-Frame-Options header is sent on the request besides checking the security tool?

Also, doesn't Content Security Policy frame-ancestors directive apply to your scenario?


Regards

Hi Lara,

Thank you... and sorry for late reply, but I am still juggling with this issue.

Actually, I am getting 'X-Frame-Options Header Not Set' Risk when I run penetration tool ZAP Scanning tool.

I tried using Factory Configuration with Http Protocol, now I could see X-Frame-Options: SAMEORIGIN in Network Tab, Response Header. But when I run penetration tool, I am still getting Medium Risk  as : 'X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.'


Please suggest a solution for this.


Regards,
Hemlata

Hey Hemlata,

I am not familiarized with that scanning tool. 

However, I would suggest that you could try to understand if the browser is actually respecting the header by doing a simple test as it is being made here:

https://stackoverflow.com/questions/47079785/owasp-zap-false-positive-on-x-frame-options-and-non-existing-html-file

If the header is being enforced in the browser, the problem is with the scanning tool. Otherwise, we will need to understand what's happening.

Let me know about the results!


Regards