How to configure TIBCO Administrator to set the anti click-jacking header (X-Frame-Options) on to HTTP responses?

How to configure TIBCO Administrator to set the anti click-jacking header (X-Frame-Options) on to HTTP responses?

book

Article ID: KB0080983

calendar_today

Updated On:

Products Versions
TIBCO Administrator 5.8.0 or higher

Description

Configure TIBCO Administrator's web server to add HTTP header "X-Frame-Options: DENY" to all HTTP responses.

Issue/Introduction

This article describes how to configure TIBCO Administrator's web server to add HTTP header "X-Frame-Options: DENY" to all HTTP responses.

Environment

OS: All

Resolution

Adding HTTP header “X-Frame-Options: DENY” to all HTTP responses is supported in Tomcat 7. Refer to https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html

Always apply the latest hotfix for the TRA version you are using. This will keep your Tomcat deployment up to date. 
 
Users need to modify $TIBCO_HOME/administrator/domain/domainname/tomcat/conf/web.xml by modifying/adding the httpHeaderSecurity filter.
    <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping> 
    <filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>
 
Restart the Admin server.

Additional Information

Apache Tomcat 7 document:
https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html
Powered by Wolken Software