Reputation: 51
How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks
I have a Coldfusion Web application. To protect my site from Cross-Frame Scripting attack I'm planning to add a HTTP Response Header "X-Frame-Options" with a value of "SAMEORIGIN" in my '.htaccess file'. This is the article I'm referring:
https://geekflare.com/secure-apache-from-clickjacking-with-x-frame-options/, https://www.garron.me/en/bits/apache-htaccess-add-cache-control-header-file-type.html
Below code doesn't worked.
<FilesMatch "\.(cfm)$">
<ifModule mod_headers.c> Header append X-FRAME-OPTIONS 'SAMEORIGIN'</ifModule>
</FilesMatch>
I am new to this, can somebody please help how to do it correctly.
Thanks in advance.
Upvotes: 4
Views: 15468
Answers (2)
Reputation: 51
I have fixed this issue by adding Header set X-Frame-Options DENY outside IfModule mod_headers.c in the .htaccess file and enabling the Header module in the mod_headers.so file in Apache.
Upvotes: 0
Reputation: 13548
From your example it looks like you have combined things from both of the articles you referenced.
The Geekflare.com article gives this example for Apache:
Header always append X-Frame-Options SAMEORIGIN
The Garron.me article gives this example for Apache:
<filesMatch ".(html|htm)$">
Header set Cache-Control "max-age=14400, must-revalidate"
</filesMatch>
Which in my mind would translate to this for X-Frame-Options header on ColdFusion pages:
<filesMatch ".(cfml|cfm)$">
Header always append X-FRAME-OPTIONS SAMEORIGIN
</filesMatch>
Notice that there is no leading slash \ in the regex as in your code and the quotes are not necessary around SAMEORIGIN and you have omitted the always key word. You also have an additional <ifModule mod_headers.c> check that I don't think you need. I would combine the ColdFusion and HTML extensions to the condition like this <filesMatch ".(cfml|cfm|html|htm)$"> in order to send the header for those page requests.
I am just getting that from the articles you referenced but you have tagged your question with ColdFusion so there are several options for this. In fact, later versions of ColdFusion (I believe it was introduced with version 10) come with some protection out of the box. And you can customize it to fit your needs. See the "ClickJacking" section of this article - Security improvements in ColdFusion 10
From that document:
ColdFusion administrator protect against clickjacking using X-Frame-Options. You can also extend this option further to protect your applications, as follows:
Open the Web.xml file located at
<Server-doc-root>/WEB-INF.Add URL filter Mapping for your application with one of the two filters already specified:
CFClickJackFilterSameOriginorCFClickJackFilterDeny.Now let's say that you have an application
testClick, which you want to protect against clickjacking by denying a frame for application. To do so, add the following in the web.xml file.
<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/testClick/*</url-pattern>
</filter-mapping>
Looking at the web.xml file from one of my servers includes the following out of the box (notice how they have added protection for the ColdFusion Administrator):
<!-- CF ClickJacking deny protection Filter -->
<filter>
<filter-name>CFClickJackFilterDeny</filter-name>
<filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
<init-param>
<param-name>filter.class</param-name>
<param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<!-- CF ClickJacking same origiin protection Filter -->
<filter>
<filter-name>CFClickJackFilterSameOrigin</filter-name>
<filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
<init-param>
<param-name>filter.class</param-name>
<param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
</init-param>
<init-param>
<param-name>mode</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<!-- CF ClickJacking Filter mapppings starts. For ColdFusion Administrator we are allowing
sameorigiin frames. Use Deny or some other mode of this filter as appropriate for the
application and add required url pattern
-->
<filter-mapping>
<filter-name>CFClickJackFilterSameOrigin</filter-name>
<url-pattern>/CFIDE/administrator/*</url-pattern>
</filter-mapping>
<!-- End CF ClickJacking Filter mappings -->
So in order to protect your entire ColdFusion site you could add a filter-mapping for the root of your site /*.
<filter-mapping>
<filter-name>CFClickJackFilterSameOrigin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
You could even use the <cfheader> tag to include the response header (but you would have to do this on all pages or within Application.cfc, etc.)
<cfheader name="X-FRAME-OPTIONS" value="SAMEORIGIN" />
Upvotes: 3
Related Questions
- How to set X-Frame-Options Header in wordpress Site
- X-Frame-Options on Apache
- enable X-Frame-Options header in spring-boot application (without spring security)
- Modify headers x-frame-options in .htaccess
- Set x-frame-options to allow and disallow certain URLs to frame a page
- How to set X-Frame-Options?
- Adding multiple domain/URL in Header set X-Frame-Options "ALLOW-FROM "
- Respect X-Frame-Options with HTTP redirect
- Clickjacking protection using 'X-Frame-Options'?
- X-Frame-Options with intranet site