Cross Frame Scripting (XFS) - Click jacking vulnerability and the IBM i Apache HTTP server.

Answer

Cross Frame Scripting-Click jacking - Cross Frame Scripting (XFS) is an attack that exploits the bug in specific browsers and captures the sensitive information from the legitimate users of the application. The attacker induces the browser for a user to navigate to a web page that the attacker controls, by loading a third-party page in an HTML frame and then the JavaScript executing in the attacker's page steals data from the third-party page.

The following are possible values for your X-Frame-Options header:

DENY
This configuration is the most restrictive and prevents your site page from being included in an iFrame. This option is optimal if you do not have valid users for an iFrame.

SAMEORIGIN
If a parent page is from the same domain as your site page, the site page can be included in the iFrame.

ALLOW-FROM uri
You can specify a single URI that is allowed to frame your site page.
Note: This option is not supported by all browsers.

This is what the directive would look like and that you put in you HTTP server configuration file:

Header always append X-Frame-Options SAMEORIGIN

or

Header always append X-Frame-Options DENY

You will have to stop and start your HTTP server for the change to take affect.

Here are screen shots showing how to add the directive using the Web Administration GUI:

Here click on HTTP Responses on the left, choose the Response Headers tab, then we click on the Add button to add the directive as desired, click on continue and the click on Ok.


On the bottom left under Tools, clcik Display Configuration File and you will see the directive added.