Search Engine: Elastic

Clickjacking protection in PA

Article ID: 122714, created on Aug 25, 2014, last review on Sep 15, 2014

  • Applies to:
  • Operations Automation

Issue

PA CP is potentially vulnerable to the clickjacking attacks.

Resolution

  1. Modify the /usr/local/pem/etc/branding/branding_htaccess.tmpl file on POA MN and add the following line to it:

    header always set X-Frame-Options sameorigin

  2. Modify .branding_htaccess file for each branding server/branding webspace that deals with HTTPS connections on specific brand and add the following line to it:

    header always set X-Frame-Options sameorigin

    Example of the .branding_htaccess file location:

    Brand on legacy LSH: /usr/local/pem/vhosts/100001/webspace/httpsdocs/branddomain.tld/.branding_htaccess Brand on LSH NG: /var/www/vhosts/2/100008/webspace/httpdocs/branddomain.tld/.branding_htaccess

  3. Test that it is possible to log in to CP, switch to Billing and back to the Operations panel

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF