How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks

apache .htaccess security coldfusion http-headers
12,752

From your example it looks like you have combined things from both of the articles you referenced.

The Geekflare.com article gives this example for Apache:

Header always append X-Frame-Options SAMEORIGIN

The Garron.me article gives this example for Apache:

<filesMatch ".(html|htm)$">
Header set Cache-Control "max-age=14400, must-revalidate"
</filesMatch>

Which in my mind would translate to this for X-Frame-Options header on ColdFusion pages:

<filesMatch ".(cfml|cfm)$">
Header always append X-FRAME-OPTIONS SAMEORIGIN
</filesMatch>

Notice that there is no leading slash \ in the regex as in your code and the quotes are not necessary around SAMEORIGIN and you have omitted the always key word. You also have an additional <ifModule mod_headers.c> check that I don't think you need. I would combine the ColdFusion and HTML extensions to the condition like this <filesMatch ".(cfml|cfm|html|htm)$"> in order to send the header for those page requests.

I am just getting that from the articles you referenced but you have tagged your question with ColdFusion so there are several options for this. In fact, later versions of ColdFusion (I believe it was introduced with version 10) come with some protection out of the box. And you can customize it to fit your needs. See the "ClickJacking" section of this article - Security improvements in ColdFusion 10

From that document:

ColdFusion administrator protect against clickjacking using X-Frame-Options. You can also extend this option further to protect your applications, as follows:

  1. Open the Web.xml file located at <Server-doc-root>/WEB-INF.

  2. Add URL filter Mapping for your application with one of the two filters already specified: CFClickJackFilterSameOrigin or CFClickJackFilterDeny.

Now let's say that you have an application testClick, which you want to protect against clickjacking by denying a frame for application. To do so, add the following in the web.xml file.

<filter-mapping>
<filter-name>CFClickJackFilterDeny</filter-name>
<url-pattern>/testClick/*</url-pattern>
</filter-mapping>

Looking at the web.xml file from one of my servers includes the following out of the box (notice how they have added protection for the ColdFusion Administrator):

<!-- CF ClickJacking deny protection Filter  -->
<filter>
    <filter-name>CFClickJackFilterDeny</filter-name>
    <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
    <init-param>
        <param-name>filter.class</param-name>
        <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
    </init-param>
    <init-param>
        <param-name>mode</param-name>
        <param-value>DENY</param-value>
    </init-param>
</filter>

<!-- CF ClickJacking same origiin protection Filter  -->
<filter>
    <filter-name>CFClickJackFilterSameOrigin</filter-name>
    <filter-class>coldfusion.bootstrap.BootstrapFilter</filter-class>
    <init-param>
        <param-name>filter.class</param-name>
        <param-value>coldfusion.filter.ClickjackingProtectionFilter</param-value>
    </init-param>
    <init-param>
        <param-name>mode</param-name>
        <param-value>SAMEORIGIN</param-value>
    </init-param>
</filter>

<!-- CF ClickJacking Filter mapppings starts. For ColdFusion Administrator we are allowing
sameorigiin frames. Use Deny or some other mode of this filter as appropriate for the 
application and add required url pattern
-->
<filter-mapping>
    <filter-name>CFClickJackFilterSameOrigin</filter-name>
    <url-pattern>/CFIDE/administrator/*</url-pattern>
</filter-mapping>
<!-- End CF ClickJacking Filter mappings -->

So in order to protect your entire ColdFusion site you could add a filter-mapping for the root of your site /*.

<filter-mapping>
    <filter-name>CFClickJackFilterSameOrigin</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

You could even use the <cfheader> tag to include the response header (but you would have to do this on all pages or within Application.cfc, etc.)

<cfheader name="X-FRAME-OPTIONS" value="SAMEORIGIN" />
Share:
12,752
Nishanth V
Author by

Nishanth V

Updated on June 04, 2022

Comments

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

My site was hacked, htaccess file compromised, what should it look like?
How to run php script in png/jpg extension
Rewrite rules to hide an url
.htaccess deny all, including the htaccess file and display 404 - how do I do it?
.htaccess deny access to specific files? more than one
Using PHP/Apache to restrict access to static files (html, css, img, etc)
Apache: difference between "Header always set" and "Header set"?
How to Block 100,000+ Individual IP addresses
How to prevent http file caching in Apache httpd (MAMP)
.htaccess in Subfolder not working