How do I add 'X-Frame-Options' directive. 

How do I add 'X-Frame-Options' directive. 

  

Hi, we have an AWS cloud based JAVA installation of Outsystems and I am looking at how we can restrict Outsystems applications being embedded in an iframe in other applications.

I know we can use the 'frame-ancestors' and/or the 'X-Frame-Options' directives to achieve what we need and I have successfully managed to get the 'frame-ancestors' one to work through the  Platform security settings (Content-Security-Policy). However this works on Chrome, but doesn't work in IE.

So to solve, I want to also use the 'X-Frame-Options' directive and understand that it can be added via the 'Factory Configurations' module (from the Forge). I have downloaded Factory Configurations and tried updating the using the Shared Configurations, but without success. 

Has anyone tried this before, and can advise me on what to do.

Thanks

Neil



Hi Neil,

Did you check the HTTPRequestHandler extention's AddHeader action? Or are you looking for a more generic approach?

Hey Neil,

It seems that Internet Explorer doesn't fully support Content Security Policy directives. You can check the supported directives here: https://content-security-policy.com

We are following the standards so that the browsers seamlessly support Content Security Policy headers added to OutSystems applications but, unfortunately, we cannot ensure that every browser supports every directive.

Let me know if you need any additional clarification.

By the way, thank you for your contribution Kilian!

Regards

Thanks Kilian and Lara for you replies.

In respect of what we need then the HTTPRequestHandler extention AddHeader action satisfies the requirements. By using the 'frame-ancestors' (via LifeTime) and the 'X-Frame-Headers' in the application it will cover pretty much all browsers. So I have a solution I can take forward.

By the way, this query is similar to a number of other platform configuration investigations we have done, so I guess I started out to look at how we could manage this directive through Configuration change as opposed to application code change.

Anyway, I now have a way forward so thanks again to you both 


Glad I could be of help. Good luck with your project.