We'd love to hear about it! Click here to go to the product suggestion community
I'm presenting a web server through the WAF using Form authentication to restrict access. This was recently scanned, and came up vulnerable to Clickjacking attacks. Is there a way to add an X-Frame-Options or Content-Security-Policy: frame-ancestors header to the login form presented from the WAF?
I don't think there's an option as such in WAF. In general, X-FRAME-OPTIONS is the web application's way to control how it's allowed to be presented the client-side, so don't you need to set this up in the backend application and not in WAF?
However, you can add a feature request for this here.
I have tried to understand this several time, and found the issue difficult to grasp. Here is my attempt to restate the threat, partly for documentation and partly to get feedback if I have it wrong:
The headers are a workaround to prevent being embedded in the wrong places:
Then the browsers check to see if your content is embedded someplace where it does not belong.
Wikipedia says that X-Frame-Options is older while Content-Security-Policy is the newer, and fully standardized version. The newer one is preferred but it is acceptable to use both to cover all bases.
From a web design standpoint, you need to know what stuff is embedded where, so it helps to have a development environment that helps you keep track of this stuff.
Not sure how big a risk this is, and it is technically not your problem. You can probably use the UTM login page templates to add the header, but User Portal was not modifiable in 9.5. Has that changed in 9.6? And you need to worry about whether the back-end WAF application complies with the policy and continues to assert it.