How to protect TIBCO Spotfire Server against Clickjacking security vulnerability
Article ID: KB0076288
Updated On:
| Products | Versions |
|---|---|
| Spotfire Server | All Versions |
Description
Instructions to enable protection against Clickjacking security vulnerability on TIBCO Spotfire Server
Issue/Introduction
How to protect TIBCO Spotfire Server against Clickjacking security vulnerability
Resolution
The TIBCO Spotfire Server can be configured to include a "X-Frame-Options" HTTP header in its responses to prevent this security vulnerability . This header is optional and is not included by default. The following instructions can be used to configure protection against Clickjacking attacks on TIBCO Spotfire Server.
On Windows:
-------------------------------------------
1). Open the command prompt and go to "<TSS installation folder>\tomcat\bin" for 10.2 and lower and <TSS installation folder>\tomcat\spotfire-bin" location for 10.3 and higher.
2). Run following commands:
-- Export current active configuration into a file (configuration.xml) for modification
config.bat export-config --force
-- Enable X-Frame-Options to prevent the attack
config.bat set-config-prop --name="security.x-frame-options.enabled" --value="true"
-- When this feature is enabled, the Server will include the HTTP header "X-Frame-Options" with default value "SAMEORIGIN" in all responses.
-- The "X-Frame-Options" also can have following values.
DENY: prevents the rendering of the server web page within a frame.
SAMEORIGIN: prevents the rendering of the server web page within a frame if origin mismatch.
ALLOW-FROM: the server web page will only be rendered when framed from the specified location.
ALLOWALL: allows rendering within a frame from any location (this is a non-standard value, not supported by all browsers).
-- Use following command to change the value as per your requirement. For Example:
config.bat set-config-prop --name="security.x-frame-options.directive" --value="DENY"
-- Import the modified configuration into Database.
config.bat import-config -c "enabled X-Frame-Options"
3). Restart the TIBCO Spotfire Server service.
----------------------------------------------------
On Unix/Linux:
-------------------------------------------
1). Login to SHELL and go to "<TSS installation directory>/tomcat/bin" location for 10.2 and lower and <TSS installation directory>/tomcat/spotfire-bin for 10.3 and higher .
2). Run following commands:
-- Export current active configuration into a file (configuration.xml) for modification
config.sh export-config --force
-- Enable X-Frame-Options to prevent the attack
config.sh set-config-prop --name="security.x-frame-options.enabled" --value="true"
-- When this feature is enabled, the Server will include the HTTP header "X-Frame-Options" with default value "SAMEORIGIN" in all responses.
-- The "X-Frame-Options" also can have following values.
DENY: prevents the rendering of the server web page within a frame.
SAMEORIGIN: prevents the rendering of the server web page within a frame if origin mismatch.
ALLOW-FROM: the server web page will only be rendered when framed from the specified location.
ALLOWALL: allows rendering within a frame from any location (this is a non-standard value, not supported by all browsers).
-- Use following command to change the value as per your requirement. For Example:
config.sh set-config-prop --name="security.x-frame-options.directive" --value="DENY"
-- Import the modified configuration into Database.
config.sh import-config -c "enabled X-Frame-Options"
3). Restart the TIBCO Spotfire Server process.
----------------------------------------------------
Additional Information
Feedback
Yes
No
Powered by
