Enabling the X-Frame-Options header

You can configure the X-Frame-Options header settings to help you protect your site against Clickjacking. Clickjacking is a technique that tricks a web user into clicking a malicious site, thinking that it is your site. This malicious site can then reveal confidential information or take control of the user's computer.

About this task

You can help to protect your site from this form of attack by improving your X-Frame-Options header.

For more ways to protect your site from Clickjacking see, Clickjacking Defense Cheat Sheet.

The following are possible values for your X-Frame-Options header:
DENY
This configuration is the most restrictive and prevents your site page from being included in an iFrame. This option is optimal if you do not have valid users for an iFrame.
SAMEORIGIN
If a parent page is from the same domain as your site page, the site page can be included in the iFrame.
ALLOW-FROM uri
You can specify a single URI that is allowed to frame your site page.
Note: This option is not supported by all browsers. For more information about which browsers are supported, see Defending with X-Frame-Options Response Headers.

Procedure

Include the X-Frame-Options header with a response.
The Feature Pack 8 Aurora store has the X-Frame-Options header enabled in Stores.war/Aurora/Common/EnvironmentSetup.jspf. You can include this X-Frame-Options header by using one of the following options:
  • Use the IBM HTTP Server (IHS)
    Enabling the header with IHS is the more popular technique and this technique ensures that the header is included with all responses. To include the X-Frame-Options header, use a command that is similar to the following command, which appends the X-Frame-Options header SAMEORIGIN to responses:
    Header always append X-Frame-Options SAMEORIGIN
    For more information about controlling and modifying HTTP request and response headers, see Apache Module mod_headers.
  • Use the WebSphere Commerce application.
    1. Go to the following directory:
      • SolarisLinuxAIX Store_archivedir/Aurora/common
      • Windows Store_archivedir\Aurora\common
    2. Open the EnvironmentSetup.jspf for editing and add the following line of code:
      response.setHeader("X-Frame-Options","SAMEORIGIN");
    3. Save and close the file.
  • If you use Microsoft Internet Information Services (IIS), use the IIS Manager to include the X-Frames-Options. For more information, see Mitigating framesniffing with the X-Frame-Options header .