how to set X-frame-options in Weblogic & Tomcat to fix XFS

sunhux
sunhux used Ask the Experts™
on
Can someone share the exact steps (step by step) on how to set
X-frame-options in Weblogic (10.3.6, 12.1.3, 12.2.1.3)  & Tomcat
to SAMEORIGIN to fix XFS/clickjacking?


I'm running Solaris 10 & RHEL 6  OS
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
Don't have the document in public but thought this would not differs too much from other reference on the security configuration. It need more holistic setting from security stand points against such web attacks  
https://docs.oracle.com/cd/E92727_01/techwebhelp/Content/techdocs/technicaldocs/security/secinstllnconfign.htm
HTTP Response Header Configurations
The following are some HTTP Response Headers that mitigate certain vulnerabilities.

Vulnerability                                                                HTTP Response Header
Clickjacking                                                                   X-Frame-Options
XSS                                                                                Content-Security-Policy
X-XSS-Protection                                                         Cookie hijacking
Protocol Downgrade attacks                                     Strict-Transport-Security
Retrieving Sensitive data from browser cache      Cache-Control

The sections below specify how to configure these response headers in the httpd.conf file of the web server.

X-Frame-Options
Header always append X-Frame-Options SAMEORIGIN

Content-Security-Policy
Header set Content-Security-Policy "default-src 'none'; img-src 'self'
data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self'
https://fonts.googleapis.com 'unsafe-inline'; object-src 'none'; frame-src
'none'; font-src 'self' https://fonts.googleapis.com/
https://fonts.gstatic.com/ data:; connect-src 'self'
https://fonts.googleapis.com/ https://fonts.gstatic.com/ http://<OAM
Server>:<OAM Port>; manifest-src 'self'; child-src 'self'"
Please note that the policy mentioned here is for the base product. If the product gets customized and content from different URLs needs to be allowed to be executed by the browser, then this policy will have to be modified accordingly.

X-XSS-Protection
Header set X-XSS-Protection “1; mode=block”

Strict-Transport-Security
Set this for your top level domain. The header directive needs to be included inside the VirtualHost directive

<VirtualHost *:443>
Header always set Strict-Transport-Security “max-age=31540000; includeSubDomains”
</VirtualHost>

Cache-Control
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0

Author

Commented:
Got a colleague to login to Oracle support portal but it virtually asks to
apply a patch/PSU or upgrade to 12.2.1.x  Weblogic: it's not like IIS or
Apache webserver which we can insert an X-frame-options=SAMEORIGIN
 into the webserver's config:

===============================  extract =========================================
Can X-Frame-Options HTTP Header be Enabled in Oracle WebLogic Server to Mitigate Clickjacking?
 (Doc ID 1558254.1)  * Applies to Oracle WebLogic Server - Version 10.3 and later

SOLUTION:
=========
Clickjacking is actually an application developer issue. There is not always a way to control this
 dependably with an application server configuration setting.

Oracle WebLogic Server (WLS) does not have a setting to control the X-Frame-Options Header,
the most standard way to prevent Clickjacking.

If there is an issue with an application deployed to Oracle WebLogic Server, please check who
 has developed the application.

Any Oracle developed applications should be sending the X-Frame-Options Header with DENY
 or SAMEORIGIN values.

WLS Console
===========
For Oracle Weblogic Server, the Console application (/console) is built by the WLS
 development team. There is a fix available through the Patch Set Update (PSU) releases
 beginning with July 2015:

Note 1470197.1 Patch Set Update (PSU) Release Listing for Oracle WebLogic Server (WLS)

e.g. WLS PSU 10.3.6.0.12+ has the the X-Frame-Options set to DENY, but WLS 12.2.1.x
        will have the fix by default since it was released October 2015.


After applying the latest PSU or upgrading to 12.2.1.x, the http headers of the WebLogic
 Server console application (/console) should be as follows:

HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Fri, 16 Oct 2015 20:36:12 GMT
Pragma: no-cache
Content-Length: 3162
Content-Type: text/html; charset=UTF-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Language: en-US
X-Powered-By: Servlet/2.5 JSP/2.1
X-Frame-Options: DENY                 <<<<<<<< The desired setting
btanExec Consultant
Distinguished Expert 2018

Commented:
Thanks for sharing

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial