How to set x frame option in tomcat { clickjacking attack prevention}

click jacking attack

Description

issue with clickjacking

Click Jacking (User Interface redress attack, UI redress attack, UI redressing) is a
malicious technique of tricking a Web user into clicking on something different from what
the user perceives they are clicking on, thus potentially revealing confidential information
or taking control of their computer while clicking on seemingly innocuous web pages.

Impact

The Session timeout defines an action window time for a user, this window represents the
time in which an attacker can try to steal and use a existing user session.

Risk Rating

Low Risk Rating.

Mitigation Steps

Solution

The most popular way to defend against Click Jacking is to include some sort of “frame-
breaking” functionality which prevents other web pages from framing the site you wish to
defend.
The X-Frame-Options HTTP response header can be used to indicate whether or not a
browser should be allowed to render a page in a or <frame> or <iframe>.

Sites can use this to avoid Click Jacking attacks, by ensuring that their content is not
embedded into other sites.

There are three possible values for the X-Frame-Options headers:

  • DENY, which prevents any domain from framing the content
  • SAMEORIGIN, which only allows the current site to frame the content.

Finally we are here to solve issues with clickjacking.

Step-1

Configure httpHeaderSecurity Filter in web.xml file.
<filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>DENY</param-value>
    </init-param>
</filter>

Step-2

We have to add Filter Mapping in web.xml file (below filter tag)
<filter-mapping>
    <filter-name>httpHeaderSecurity</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
</filter-mapping>

Conclusion

So, finally we have to take care about SECURITY concepts in our application development.

Write a comment