You can configure a security filter, SecurityHeadersPolicy, that mitigates clickjacking attacks in Alfresco Share.
SecurityHeadersPolicy is a Java Servlet filter that applies HTTP response headers to incoming requests in Share. The headers that are returned are defined in a configuration section called SecurityHeadersPolicy in alfresco-security-config.xml.
Three headers are added by default;
X-Frame-Options,
X-Content-Type-Options
and
X-XSS-Protection:
<config evaluator="string-compare" condition="SecurityHeadersPolicy">
<headers>
<header>
<name>X-Frame-Options</name>
<value>SAMEORIGIN</value>
</header>
<header>
<name>X-Content-Type-Options</name>
<value>nosniff</value>
</header>
<header>
<name>X-XSS-Protection</name>
<value>1; mode=block</value>
</header>
</headers>
</config>
2. X-Frame-Options header
Adding this header to an HTTP response tells the browser whether Share pages are permitted inside iframes. In our default configuration we have set this to SAMEORIGIN which means that Share pages are only permitted inside iFrames inside Share or in other web applications that live under the same domain.
You can override the configuration and set the header to return
DENY
instead, by placing the following configuration in your
share-config-custom.xml
file:
<config evaluator="string-compare" condition="SecurityHeadersPolicy">
<headers>
<header>
<name>X-Frame-Options</name>
<value>DENY</value>
</header>
</headers>
</config>
Could you please suggest here which one will be the perfect solution.
Currently we are planning to go with no.2.
If any one is thinking about the no 1 please share the exact location of alfresco-security-config.xml.
have any one implemented the same earlier?