Enabling the X-Frame-Options header

You can configure the X-Frame-Options header settings to help you protect your site against Clickjacking. Clickjacking is a technique that tricks a web user into clicking a malicious site, thinking that it is your site. This malicious site can then reveal confidential information or take control of the user's computer.

About this task

You can help to protect your site from this form of attack by improving your X-Frame-Options header.

For more ways to protect your site from Clickjacking see, Clickjacking Defense Cheat Sheet.

The following are possible values for your X-Frame-Options header:
DENY
This configuration is the most restrictive and prevents your site page from being included in an iFrame. This option is optimal if you do not have valid users for an iFrame.
SAMEORIGIN
If a parent page is from the same domain as your site page, the site page can be included in the iFrame.
ALLOW-FROM uri
You can specify a single URI that is allowed to frame your site page.
Note: This option is not supported by all browsers. For more information about which browsers are supported, see Defending with X-Frame-Options Response Headers.

Procedure

Include the X-Frame-Options header with a response.

The Aurora store has the X-Frame-Options header enabled using the HttpSecurityFilter. You can include this X-Frame-Options header by using one of the following options:

  • Use the IBM HTTP Server (IHS)
    Enabling the header with IHS is the more popular technique and this technique ensures that the header is included with all responses. To include the X-Frame-Options header, use a command that is similar to the following command, which appends the X-Frame-Options header SAMEORIGIN to responses:
    Header always append X-Frame-Options SAMEORIGIN
    For more information about controlling and modifying HTTP request and response headers, see Apache Module mod_headers.
  • Use the WebSphere Commerce application.
    1. Go to the following directory:
      • LinuxAIX Store_archivedir/Aurora/common
      • Windows Store_archivedir\Aurora\common
    2. Open the EnvironmentSetup.jspf for editing and add the following line of code:
      response.setHeader("X-Frame-Options","SAMEORIGIN");
    3. Save and close the file.
  • If you use Microsoft Internet Information Services (IIS), use the IIS Manager to include the X-Frames-Options. For more information, see Mitigating frame sniffing with the X-Frame-Options header .
  • To enable the X-Frame Options header using the HttpSecurityFilter, add the corresponding property to your extended foundation wc-component.xml file. For more information about how to create a custom configuration file, see Changing properties in the component configuration file. The X-Frame-Options properties accept an explicit true or false value. A value of true appends the X-Frame-Options with a value of DENY or SAMEORIGIN, depending on the property. The following names are possible property names:
    EnableXFrameOptionsDeny
    Sets the value of DENY into the X-Frame-Options header.
    EnableXFrameOptionsSameOrigin
    Sets the value SAMEORIGIN into the X-Frame-Options header

    For example, to configure the X-Frame-Options response header for the REST servlet where the value is set to SAMEORIGIN, add the following code snippet to the file:

    <_config:configgrouping name="HttpSecuritySettings_Rest">
    <_config:property name="EnableXFrameOptionsSameOrigin" value="true"/>
    </_config:configgrouping>"