New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PAYARA-2109 Protect Admin Console Web Pages against Clickjacking/UI Redress attacks #2097
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
XFrame Options has 3 values therefore should be selectable from the 3 rather than a boolean true or false
@@ -300,6 +300,8 @@ http.XpoweredBy=XPowered By: | |||
http.XpoweredByHelp=Include X-Powered-By: Servlet/3.0 in servlet-generated HTTP response headers | |||
http.ServerHeader=Server Header: | |||
http.ServerHeaderHelp=Include Server Header: Servlet/3.0 in servlet-generated HTTP response headers | |||
http.XframeOptions=XFrame Options: | |||
http.XframeOptionsHelp=Include X-Frame-Options: Servlet/3.0 in servlet-generated HTTP response headers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably should say "Default X-Frame-Options value to be included in all responses"
httpHeader.getHeaders().removeHeader(Header.Server); | ||
} | ||
|
||
if (xFrameOptions == null && httpHeader.containsHeader(xFrameOptionsHeader)){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think you should remove an XFrameOptions Header if it is already present. XPoweredBy and Server are removed when configured to be removed because they leak security information. However XFrame-Options could be set by the application developer for legitimate reasons so should be honoured if present.
Jenkins test please |
Quick build and test passed! |
No description provided.