I receive the X-Frame-Options header in the response from the API, but as I understand in order to prevent the clickjacking attack I need to add it in the UI code. The UI code( written in angularjs) is deployed in Tomcat (version 7.0.72) server. I tried adding the below filters in the web.xml of my application.
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
Yet, I can't see the headers being added. Can someone please help me figure out the solution?
Double-click the HTTP Response Headers icon in the feature list in the middle. In the Actions pane on the right side, click Add. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field. Click OK to save your changes.
I found the solution. The X-Frame-Options response header needs to be added via web.xml on Tomcat server. The filter-mapping was missing in my web.xml hence the headers were not getting added. For anyone else who might face this issue, I am posting the lines from web.xml here:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
With this, the following headers get added: • X-Frame-Options • X-Content-Type-Options • X-XSS-Protection
If you don't specify values for each of this header, the default value for each would be set. You can find the default values in Tomcat server docs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With