https://community.sophos.com/utm-firewall/f/web-server-security/113752/clickjacking-mitigationI&#39;m presenting a web server through the WAF using Form authentication to restrict access. This was recently scanned, and came up vulnerable to Clickjacking attacks. Is there a way to add an X-Frame-Options or Content-Security-Policy: frame-ancestors headeren-USTelligent Community 12https://community.sophos.com/thread/409282?ContentTypeID=1Tue, 16 Jul 2019 11:56:47 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:a2229459-7891-4c21-a06b-b8bb74c2ce76DouglasFoster<p>I have tried to understand this several time, and found the issue difficult to grasp.&nbsp; &nbsp;Here is my attempt to restate the threat, partly for documentation and partly to get feedback if I have it wrong:</p> <ul> <li>User gets tricked to a bad-guy site, which loads an invisible page which allows him to intercept everything the user clicks or types.</li> <li>The user then navigates to your site, which is loaded into the bad-guy site as included content.</li> <li>The user attempts to do something on your site, but the bad guy gets the click and intercepts it to do something different or something extra.</li> </ul> <p>The headers are a workaround to prevent being embedded in the wrong places:</p> <ul> <li>Top-level pages should say &quot;I should never be embedded in another web page&quot;.</li> <li>Embedded pages should say &quot;I should only be embedded in specific sites&quot;, where the specific site can be &quot;same server as this code&quot; or a list of servers.</li> </ul> <p>Then the browsers check to see if your content is embedded someplace where it does not belong.</p> <p>Wikipedia says that&nbsp;X-Frame-Options is older while&nbsp;Content-Security-Policy is the newer, and fully standardized version.&nbsp; &nbsp;The newer one is preferred but it is acceptable to use both to cover all bases.</p> <p>From a web design standpoint, you need to know what stuff is embedded where, so it helps to have a development environment that helps you keep track of this stuff.</p> <p>Not sure how big a risk this is, and it is technically not your problem.&nbsp; &nbsp; You can probably use the UTM login page templates to add the header, but User Portal was not modifiable in 9.5.&nbsp; &nbsp;Has that changed in 9.6?&nbsp; &nbsp;And&nbsp; you need to worry about whether the back-end WAF application complies with the policy and continues to assert it.</p><div style="clear:both;"></div>https://community.sophos.com/thread/409269?ContentTypeID=1Tue, 16 Jul 2019 10:38:51 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:296b684d-15d9-4906-ab4e-634c7c2ca3f7Jaydeep<p>Hi <a href="/members/steveu">SteveU</a>&nbsp;</p> <p>I don&#39;t think there&#39;s an option as&nbsp;such in WAF.&nbsp;In general, X-FRAME-OPTIONS is the web application&#39;s way to control how it&#39;s allowed to be presented the client-side, so&nbsp;don&#39;t you need to set this up&nbsp;in the backend application and not in WAF?</p> <p>However, you can add a feature request for this <a href="https://ideas.sophos.com/forums/17359-sg-utm" target="_blank">here</a>.</p><div style="clear:both;"></div>