• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat X-FRAME-OPTIONS:DENY setting?

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

Our IT auditor has performed a penetration testing to our company intranet website, which is hosted by Apache Tomcat 5.5.34, java version 1.6. They told us the website is suffering from Clickjacking Attacks (https://www.owasp.org/index.php/Clickjacking), and the solution is to configure the web server to send X-FRAME-OPTIONS:DENY on the HTTP response header.

Bros, I would like to know if Tomcat could set this config? I have googled this issue, and I could only find article to set Apache this option but not Tomcat.... thanks everyone and hope some experts here can help me out

Regards,
Jo
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Tomcat doesn't have this option, but you can use a ServletListener to stuff it in on outbound data streams.

I do something similar to customize cache headers.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic