Login/Register
How do I set X-Frame-Options as response header in angularJS?
Asked Answered
Solved angularjstomcat7x-frame-options
B

1

10

I receive the X-Frame-Options header in the response from the API, but as I understand in order to prevent the clickjacking attack I need to add it in the UI code. The UI code( written in angularjs) is deployed in Tomcat (version 7.0.72) server. I tried adding the below filters in the web.xml of my application.

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>

Yet, I can't see the headers being added. Can someone please help me figure out the solution?

Blamable answered 26/10, 2016 at 16:0 Comment(1)
@georgeawg That is by setting up the X-Frame-Options header...but where do I do that?Blamable
B
18

I found the solution. The X-Frame-Options response header needs to be added via web.xml on Tomcat server. The filter-mapping was missing in my web.xml hence the headers were not getting added. For anyone else who might face this issue, I am posting the lines from web.xml here:

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>
  <filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
  <welcome-file-list>
      <welcome-file>index.html</welcome-file>
  </welcome-file-list>

With this, the following headers get added: • X-Frame-Options • X-Content-Type-Options • X-XSS-Protection

If you don't specify values for each of this header, the default value for each would be set. You can find the default values in Tomcat server docs.

Blamable answered 27/10, 2016 at 5:44 Comment(4)
Does it enable hsts security?Tret
@SachinHR, the above code doesn't. But you can find out the param name and value from Tomcat Docs and add the code snippet in web.xmlBlamable
can i help with that in jbosUnchartered
You may need to do a hard reset of sorts with your environment to see these changes take effect when redeploying tomcat (gradle refresh project in eclipse, gradle cleans from the CLI, etc)Apostate

© 2022 - 2024 — McMap. All rights reserved.