CODEWITHSUNDEEP
jettyx-frame-optionsclickjacking
nur akkaya
nur akkaya

Reputation: 21

How Preventing Clickjacking Attacks in Jetty Server?

enter image description hereI need to prevent clickjacking attacks in jetty, i tried the following code in web.xml but it doesn't work.

in web.xml

     <filter>
       <filter-name>HeaderFilter</filter-name>
       <filter-class>org.eclipse.jetty.servlets.HeaderFilter</filter-class>
       <init-param>
         <param-name>headerConfig</param-name>
         <param-value>X-Frame-Options: SAMEORIGIN
         </param-value>
       </init-param>
     </filter> 
    <filter-mapping>
       <filter-name>HeaderFilter</filter-name>
       <url-pattern>/*</url-pattern>
   </filter-mapping>

Upvotes: 0

Views: 752

Answers (1)

Joakim Erdfelt
Joakim Erdfelt

Reputation: 49452

What does the <filter-mapping> for that <filter> look like in your web.xml ?

I would expect something like ...

<filter-mapping>
  <filter-name>HeaderFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

The partial configuration in your question will result in matching responses that go through your webapp to have the following response headers.

X-Frame-Options: DENY
Cache-Control: <prior-cache-control-headers>, no-cache, no-store, must-revalidate
Expires: <now + 31540000000ms in the future>
Date: <now>

Not sure how that applies to your question about click-jacking though.

Are you sure you want X-Frame-Options: DENY and not something more sane like X-Frame-Options: sameorigin ?

What about the response header Content-Security-Policy? See if you need that header, with something like Content-Security-Policy: frame-ancestors 'self'; perhaps?

What about having a strict SameSite setting for your Cookies?

Upvotes: 0

Related Questions