Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I set X-Frame-Options as response header in angularJS?

I receive the X-Frame-Options header in the response from the API, but as I understand in order to prevent the clickjacking attack I need to add it in the UI code. The UI code( written in angularjs) is deployed in Tomcat (version 7.0.72) server. I tried adding the below filters in the web.xml of my application.

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>

Yet, I can't see the headers being added. Can someone please help me figure out the solution?

like image 957
pix1289 Avatar asked Oct 26 '16 16:10

pix1289


People also ask

How do I set X-Frame-options in HTML?

Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.


1 Answers

I found the solution. The X-Frame-Options response header needs to be added via web.xml on Tomcat server. The filter-mapping was missing in my web.xml hence the headers were not getting added. For anyone else who might face this issue, I am posting the lines from web.xml here:

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>
  <filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
  <welcome-file-list>
      <welcome-file>index.html</welcome-file>
  </welcome-file-list>

With this, the following headers get added: • X-Frame-Options • X-Content-Type-Options • X-XSS-Protection

If you don't specify values for each of this header, the default value for each would be set. You can find the default values in Tomcat server docs.

like image 132
pix1289 Avatar answered Oct 17 '22 18:10

pix1289