My Oracle Support Banner

How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts Using OHS and WLS Applications (Doc ID 2040420.1)

Last updated on JUNE 26, 2018

Applies to:

Oracle WebLogic Server - Version 10.3.2 and later
Oracle Fusion Middleware - Version 11.1.1.2.0 and later
Oracle HTTP Server - Version 11.1.1.2.0 and later
Oracle WebCenter Content - Version 11.1.1.9.0 to 11.1.1.9.0 [Release 11g]
Information in this document applies to any platform.
- This concept applies to all versions




Goal

General Use Case to Configure X-Frame-Options Header to Mitigate Clickjacking Attempts

X-Frame-Options is a server-side method of combating clickjacking -- see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet or http://en.wikipedia.org/wiki/Clickjacking for more information on both. Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.

Web site administrators should take precautions to protect your webpages from clickjacking attempts.  Clickjacking is not a security issue unique to Oracle HTTP Server or Oracle Weblogic Server. This is an issue that concerns any server that serves up web pages.

A common method considered clickjacking is to use the HTML iframe feature to embed another server's page within a given site's page. Note this is not a bad thing in itself. It is used for many good purposes as an HTML feature to create an integrated experience. The objection occurs when a third-party site includes details surrounding the displayed iframe to trick a user. Or, they simply have no permission to include your page within theirs. The question is, how to prevent this?

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 General Use Case to Configure X-Frame-Options Header to Mitigate Clickjacking Attempts
Solution
 How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts Using OHS and WLS Applications
 1. Disable/Replace the OHS/WLS Default Welcome Page
 2. Using Oracle ADF Applications (with Weblogic Server)
 3. If Not Using Oracle ADF Applications (with WebLogic Server)
 Oracle HTTP Server Option
 Oracle Built Applications Where X-Frame-Options SAMEORIGIN is Not Set
 Quick Test to Verify Any Page
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.