- Within the Qualys Web Application Scan report, 150124 Clickjacking - Framable Page can be reported as a vulnerability. Is Silverline WAF capable of resolving/mitigating the vulnerability?
- Silverline WAF
- WAF Policy Protection
- Qualys/Vulnerability Scan Report
Yes. Clickjacking protection or, in this case, the X-Frame-Options is an HTTP response header that can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> and/or <object>.
Sites or web applications can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
There are 3 possible directives to X-Frame-Options:
- deny - The page cannot be displayed in a frame, regardless of the site attempting to do so.
- This is useful if the application doesn't use any <frame>, <iframe>, <embed> and/or <object>.
- sameorigin - The page can only be displayed in a frame on the same origin as the page itself.
- This is useful if the application does use <frame>, <iframe>, <embed> and/or <object> from the same domain
- allow-from <uri> - This directive allows the page to only be loaded in a frame on only trusted origins/domains.
- This is useful if you utilize resources from other domains/hosts.
x-frame-options: ALLOW-FROM https://domain.com/
What to Do
If you believe that your application is vulnerable or susceptible to this type of attack, see Q&A: How can I set the X-Frame-Options header in order to protect from "Clickjacking" attacks?
How to check Clickjacking Protection settings in Portal on WAF Policy Details
- In the Portal menu, navigate to Config> Proxy & App Configuration > WAF Policy Management.
- Use the search-box in the top-right to find the policy, or find it in table
- Under the Policy name in the list, click on Details
- Select URLs to see Clickjacking Protection