Enable Clickjacking Protection

Clickjacking is a malicious technique of tricking Web users into clicking something different from what they think they are clicking, potentially revealing confidential information. Attackers may exploit the XFS (Cross Frame Scripting) vulnerability on Exalead CloudView UIs to load an attack target inside an iframe tag, hide it using Cascading Style Sheets (CSS), and overlay the phishing content on a malicious page.

See Also
Secure Custom Developments
Enable Cross-Site Request Forgery Protection (CSRF)
Enable Phishing Protection
Control IP Address Binding

Context:

Clickjacking may affect all Exalead CloudView UIs:

  • The configuration and monitoring consoles: Administration Console, Mashup Builder, Business Console, API Console, and Monitoring Console. To tackle security failure on these consoles, see our General Recommendations.

  • The Mashup UI applications created with the Mashup Builder. By default, we do not prevent iframe embedding as we need to be able to embed the Mashup UI within an iframe for page/ widget previews to work correctly in the Mashup Builder and the Business Console. Once applications are no longer in development mode (previews are no longer useful), you can prevent iframe embedding on your Mashup UI applications as described in the following procedure.

  1. Go to the <DATADIR>/webapps/360-mashup-ui/WEB-INF/ directory.
  2. Edit the response-header-filter.xml file and uncomment the following lines. 
    <match-url url=".*">  <header key="X-Frame-Options" value="SAMEORIGIN" /></match-url>
  3. Repeat these actions for your other Mashup UI applications, if any.
  4. Restart Exalead CloudView.