How to prevent Clickjacking in MicroStrategy Web 9.4.1
I came across below tech note shared by MicroStrategy to address UI redress attack. I thought it will be helpful for users who are facing similar issue in their real time projects..
- Prevent clickjacking by adding a frame-breaking script to pages:
Select this option to prevent the page from being incorporated into a frame or iframe using a script that forces the parent window to load theURL of the current frame. This option is supported in all web browsers and preserves all of the page’s content. However, portals are not supported using this option, as the portal contents will replace the parent window.
- Prevent clickjacking by adding an X-Frame-Options header to page responses:
X-Frame-Options is an HTTP response header sent by the Web Application Server to tell web browsers under what conditions the contents of a page should be allowed to load within a frame. Browsers that understand the header will not display the contents of the page if the conditions are violated. However, if the user is on a non-secure or unfamiliar network, attackers may be able to use a proxy to strip the header. This option is supported by Internet Explorer 8+, Safari 4+, Chrome 4+, and Firefox 3.6+. Select one of the following:
Select this option to allow the page to load in a frame if the page and the frame attempting to load the page share the same domain. This option accommodates portals coming from the same domain, and provides attackers with less chances to find a workaround. However, requests from cross-domain portals will be denied. If using portals, the portal server must be located under the same domain as the MicroStrategy Web server that is serving the content.
- Set X-Frame-Option to SAMEORIGIN:
- Set X-Frame-Options to DENY:
Select this option to prevent the page from being loaded if it will be displayed inside a frame, regardless of the domain in which the frame is located.