Question & Answer
Question
How can I prevent my Websphere applications from the Cross Frame scripting vulnerability?
Cause
Cross Frame Scripting (XFS) - Click jacking vulnerability
Answer
Cross Frame Scripting-Click jacking - Cross Frame Scripting (XFS) is an attack that exploits the bug in specific browsers and captures the sensitive information from the legitimate users of the application. The attacker induces the browser for a user to navigate to a web page that the attacker controls, by loading a third-party page in an HTML frame and then the JavaScript executing in the attacker's page steals data from the third-party page.
There is no way to define a custom property for the WebContainer that specifies this header globally for all WebContainer responses in Websphere Application Server.
If you want to define the X-Frame-Options header for your applications, you have to do this in the servlet code. For example:
response.setHeader("X-Frame-Options","SAMEORIGIN");
See the following link for protecting from this vulnerability for you Apache HTTP server running on the IBM i:
http://www-01.ibm.com/support/docview.wss?uid=nas8N1021854
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1021853