Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-8393

Return X-Frame-Options HTTP header to prevent x-frame scripting and clickjacking

    XMLWordPrintable

    Details

      Description

      Following a security scan using nessus, a customer has requested that OpenNMS Return the X-Frame-Options HTTP header with the index.jsp page's response to prevent cross frame scripting and clickjacking
      (for more info see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet)

      I have fixed this issue using the standard jetty-rewrite jar
      This issue is to create a patch for meridian 2016 so that rewrite option is available in standard distribution.

      Download jetty-rewrite-7.6.15.v20140411.jar from http://mvnrepository.com/artifact/org.eclipse.jetty/jetty-rewrite/7.6.15.v20140411
      dzdo cp jetty-rewrite-7.6.15.v20140411.jar /opt/opennms/lib/
      change /opt/opennms/etc/jetty.xml

      add /change following lines;

      <!-- added X-Frame-Options to avoid clickjacking -->
      <New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
      <Set name="rules">
      <Array type="org.eclipse.jetty.rewrite.handler.Rule">
      <Item>
      <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
      <Set name="pattern">*</Set>
      <Set name="name">X-Frame-Options</Set>
      <Set name="value">SAMEORIGIN</Set>
      </New>
      </Item>
      </Array>
      </Set>
      </New>

      <Set name="handler">
      <New id="Handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
      <Set name="handlers">
      <Array type="org.eclipse.jetty.server.Handler">
      <Item>
      <Ref id="RewriteHandler" />
      </Item>
      <Item>
      <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection" />
      </Item>
      <Item>
      <New id="DefaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler" />
      </Item>
      </Array>
      </Set>
      </New>
      </Set>

        Attachments

          Activity

            People

            • Assignee:
              cgallen Craig Gallen
              Reporter:
              cgallen Craig Gallen
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 day
                1d
                Remaining:
                Remaining Estimate - 1 day
                1d
                Logged:
                Time Spent - Not Specified
                Not Specified