Enable the X-Frame-Options header

We can configure the X-Frame-Options header settings to help you protect the site against Clickjacking. Clickjacking is a technique that tricks a web user into clicking a malicious site, thinking that it is the site. This malicious site can then reveal confidential information or take control of the user's computer.

About this task

We can help to protect the site from this form of attack by improving your X-Frame-Options header.

For more ways to protect the site from Clickjacking see, Clickjacking Defense Cheat Sheet. The following are possible values for our X-Frame-Options header:

DENY

This configuration is the most restrictive and prevents the site page from being included in an iFrame. This option is optimal if you do not have valid users for an iFrame.

SAMEORIGIN

If a parent page is from the same domain as the site page, the site page can be included in the iFrame.

ALLOW-FROM uri

We can specify a single URI that is allowed to frame the site page.

Note: This option is not supported by all browsers. For more information about which browsers are supported, see Defending with X-Frame-Options Response Headers.

Procedure

Include the X-Frame-Options header with a response.

The Aurora store has the X-Frame-Options header enabled using the HttpSecurityFilter. We can include this X-Frame-Options header using one of the following options:

• Use the IBM HTTP Server (IHS) Enabling the header with IHS is the more popular technique and this technique ensures that the header is included with all responses. To include the X-Frame-Options header, use a command that is similar to the following command, which appends the X-Frame-Options header SAMEORIGIN to responses:

  Header always append X-Frame-Options SAMEORIGIN

  For more information about controlling and modifying HTTP request and response headers, see Apache Module mod_headers.

• Use the WebSphere Commerce application.

  1. Go to the following directory:

     • (AIX) (Linux) Store_archivedir/Aurora/common

     • (Windows) Store_archivedir\Aurora\common

  2. Open the EnvironmentSetup.jspf for editing and add the following line of code:

     response.setHeader("X-Frame-Options","SAMEORIGIN");

  3. Save and close the file.

• If you use Microsoft Internet Information Services (IIS), use the IIS Manager to include the X-Frames-Options. See Mitigating frame sniffing with the X-Frame-Options header .

• To enable the X-Frame Options header using the HttpSecurityFilter, add the corresponding property to our extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the component configuration file. The X-Frame-Options properties accept an explicit true or false value. A value of true appends the X-Frame-Options with a value of DENY or SAMEORIGIN, depending on the property. The following names are possible property names:

  EnableXFrameOptionsDeny

  Sets the value of DENY into the X-Frame-Options header.

  EnableXFrameOptionsSameOrigin

  Sets the value SAMEORIGIN into the X-Frame-Options header

  For example, to configure the X-Frame-Options response header for the REST servlet where the value is set to SAMEORIGIN, add the following code snippet to the file:

  <_config:configgrouping name="HttpSecuritySettings_Rest">
  <_config:property name="EnableXFrameOptionsSameOrigin" value="true"/>
  </_config:configgrouping>"