How to reduce or even eliminate Clickjacking exposure?
Article ID: KB0071945
Updated On:
| Products | Versions |
|---|---|
| TIBCO Rendezvous | - |
Description
1. We have the following fix in RV 8.4.5.
===========
RV-3445 Enhanced security for web GUI pages
The implementation of this is that -- RV Web UIs can no longer be presented in the frames of other web pages. The X-Frame-Options HTTP header is set to DENY (_clickjacking_).
===========
We strongly recommend upgrading to RV 8.4.5 and the above versions to avoid clickjacking exposure.
2. There are two ways that the exposure can be reduced or even eliminated if you can not upgrade to RV 8.4.5 and above:
a). To reduce the exposure the RV daemon can be started using the command line parameter of -http 127.0.0.1 which means that the daemon will only accept an HTTP connection for a browser running on the localhost.
b). If the admin interface is not needed then the exposure can be completely eliminated by running the daemon with the -no-http parameter which will prevent the daemon from accepting any http connection at all.
While doing this, if there are other applications starting the default RVD automatically, then an application can auto-restart an RVD process with the desired parameters like -no-http, as below:
For Unix, please refer to the Article: "https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-44991"
For Windows:
You can register the RVD as a windows service.
To register a component as a Windows service, run the utility with this command line:
rvntsreg /i service_name ctrl_dir daemon_dir arguments
service_name: Name of the Windows service.
ctrl_dir: Directory path to the controller executable rvntsctl.exe. Usually, this file is in the same location as the Rendezvous daemon, though you may copy it to another location (for example, the Windows directory).
daemon_dir: Directory path to the Rendezvous daemon executable.
arguments: The controller executable passes these command-line arguments to the Rendezvous daemon. Supply the arguments as a quoted string. If an argument is a file or directory name that contains space characters, you must enclose that name within escaped quotes (\").
->Example:
rvntsreg /i rvd c:\tibco\tibrv\8.4\bin c:\tibco\tibrv\8.4\bin "-listen 5678 -logfile rvd5678.log -no-http"
===========
RV-3445 Enhanced security for web GUI pages
The implementation of this is that -- RV Web UIs can no longer be presented in the frames of other web pages. The X-Frame-Options HTTP header is set to DENY (_clickjacking_).
===========
We strongly recommend upgrading to RV 8.4.5 and the above versions to avoid clickjacking exposure.
2. There are two ways that the exposure can be reduced or even eliminated if you can not upgrade to RV 8.4.5 and above:
a). To reduce the exposure the RV daemon can be started using the command line parameter of -http 127.0.0.1 which means that the daemon will only accept an HTTP connection for a browser running on the localhost.
b). If the admin interface is not needed then the exposure can be completely eliminated by running the daemon with the -no-http parameter which will prevent the daemon from accepting any http connection at all.
While doing this, if there are other applications starting the default RVD automatically, then an application can auto-restart an RVD process with the desired parameters like -no-http, as below:
For Unix, please refer to the Article: "https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-44991"
For Windows:
You can register the RVD as a windows service.
To register a component as a Windows service, run the utility with this command line:
rvntsreg /i service_name ctrl_dir daemon_dir arguments
service_name: Name of the Windows service.
ctrl_dir: Directory path to the controller executable rvntsctl.exe. Usually, this file is in the same location as the Rendezvous daemon, though you may copy it to another location (for example, the Windows directory).
daemon_dir: Directory path to the Rendezvous daemon executable.
arguments: The controller executable passes these command-line arguments to the Rendezvous daemon. Supply the arguments as a quoted string. If an argument is a file or directory name that contains space characters, you must enclose that name within escaped quotes (\").
->Example:
rvntsreg /i rvd c:\tibco\tibrv\8.4\bin c:\tibco\tibrv\8.4\bin "-listen 5678 -logfile rvd5678.log -no-http"
Issue/Introduction
How to reduce or even eliminate Clickjacking exposure?
Environment
ALL.
Feedback
Yes
No
Powered by
