Page History
Clickjacking protection
Also known as User Interface redress attack, UI Redress attack or UI redressing is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information
Clickjacking protection is implemented as described on the OWASP, by appending the headers:
Header | Value |
---|---|
X-Frame-Options | SAMEORIGIN |
Content-Security-Policy | frame-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-eval';; style-src 'self'; font-src 'self'; img-src 'self' |
For more information about the subject, please consult the official Content Security Policy documentation, available here.
Warning |
---|
The use of eval, setTimeout with a string argument, setInterval with a string argument and new Function with the function body given as a string should be avoided in the front-end code, as the 'unsafe-eval' directive is in effect. If a custom front-end is used which does not use KnockoutJS or other frameworks that make use of the above-mentioned javascript functions, we recommend to remove the 'unsafe-eval' directive from script-src. We also recommend to keep other XSS protection measures enabled, such as the XSS protection header, XSS whitelist and/or XSS blacklist. |
When it should be disabled
This option needs to be disabled when the blueriq application is used inside a frame that originates from a website on another domain
The Clickjacking protection is enabled by default.
Setting the following property in
Include Page | ||||
---|---|---|---|---|
|
Code Block | ||
---|---|---|
| ||
blueriq.security.click-jacking-protection.enabled = false |
Configure parameters
Default value for the 'Content-Security-Policy' header in Production mode (without the Development Tools Component) is :
Code Block | ||
---|---|---|
| ||
'frame-ancestors 'self'; default-src 'self'; script-src 'self' 'unsafe-eval'; |
The values for this header for the Java Runtime can be configured in
Include Page | ||||
---|---|---|---|---|
|
Code Block | ||
---|---|---|
| ||
blueriq.security.click-jacking-protection.content-security-policy.default-src = 'self' blueriq.security.click-jacking-protection.content-security-policy.script-src = 'self' 'unsafe-inline' 'unsafe-eval' blueriq.security.click-jacking-protection.content-security-policy.style-src = 'self' 'unsafe-inline' blueriq.security.click-jacking-protection.content-security-policy.font-src = 'self' data: blueriq.security.click-jacking-protection.content-security-policy.img-src = 'self' <source> <source> blueriq.security.click-jacking-protection.content-security-policy.frame-ancestorancestors = 'self' <source> <source> |
Property value overrides in development
When the Development Tools component is present and active, additional settings are required for the Content Security Policy, due to the frameworks used by this component (Vaadin in Java).
In the Runtime, this is achieved by overriding the property values in the application-development-tools.properties file. The default values for the Content Security Policy in application-development-tools.properties are:
Code Block | ||
---|---|---|
| ||
blueriq.security.click-jacking-protection.content-security-policy.script-src = 'self' 'unsafe-eval' 'unsafe-inline' blueriq.security.click-jacking-protection.content-security-policy.style-src = 'self' 'unsafe-inline' blueriq.security.click-jacking-protection.content-security-policy.img-src = 'self' 'unsafe-inline' data: |
Warning | ||
---|---|---|
| ||
Security headers generated by the Runtime are only applied to pages that are served from the Runtime itself. In case the Blueriq Frontend is served from a CDN or via Reverse Proxy these headers will need to be configured from the CDN or Reverse Proxy, for the headers to be applied. |