Issue
PA CP is potentially vulnerable to the clickjacking attacks.
Resolution
Modify the
/usr/local/pem/etc/branding/branding_htaccess.tmpl
file on POA MN and add the following line to it:header always set X-Frame-Options sameorigin
Modify
.branding_htaccess
file for each branding server/branding webspace that deals with HTTPS connections on specific brand and add the following line to it:header always set X-Frame-Options sameorigin
Example of the
.branding_htaccess
file location:Brand on legacy LSH:
/usr/local/pem/vhosts/100001/webspace/httpsdocs/branddomain.tld/.branding_htaccess
Brand on LSH NG:/var/www/vhosts/2/100008/webspace/httpdocs/branddomain.tld/.branding_htaccess
- Test that it is possible to log in to CP, switch to Billing and back to the Operations panel