We had a penetration test and one finding was that our qlikview servers are vulnerable for clickjacking.
In order to do better we have to implement security headers - e.g. set X-Content-Type-Options to nosniff and X-Frame-Options to SAMEORIGIN.
We managed this for our qlikview accesspoint by editing the config file in the WebServer folder- but we are unable to also get these headers in the qlikview management console. Does anyone know how we can manage this?
If additional information is needed please just ask.
X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.
Thank you for your answer. It was definitely useful to read the article. Do you know about how we can activate/enable the specific security headers as well? We had the setting from the article enabled during the penetration test, and they were still able to clickjack our qlikview environment. Therefore we're looking specifically at fixing these 2 security headers (Also they're mentioned as a must-fix).
X-Frame-Options is a header included in the response to the request to state if the domain requested will allow itself to be displayed within a frame. It has nothing to do with javascript or HTML, and cannot be changed by the originator of the request. You can't set X-Frame-Options on the iframe. That is a response header set by the domain from which you are requesting the resource . They have set the header to SAMEORIGIN in this case, which means that they have disallowed loading of the resource in an iframe outside of their domain. So you cannot embed their website into yours. Browsers when see that the response header contains X-Frame-Options: SAMEORIGIN, they check your domain and block the rendering of the <iframe>. It is a security measure to avoid clickjacking.
