Clickjacking Prevention in Tomcat

Yellowfin FAQ shared this question 4 years ago
Answered

We've recently had a result on our security scan that Yellowfin / Tomcat is possibly vulnerable to Clickjacking.


What modifications can we make to the Tomcat configuration to mitigate this?

Best Answer
photo

It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.

Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:

  <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>DENY</param-value>
    </init-param>
    <init-param>
   		<param-name>hstsEnabled</param-name>
  		<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>hstsIncludeSubDomains</param-name>
    	<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>antiClickJackingEnabled</param-name>
    	<param-value>true</param-value>
    </init-param>     
    <init-param>
 	    <param-name>antiClickJackingOption</param-name>
	    <param-value>DENY</param-value>
    </init-param>  
  	<init-param>
	    <param-name>blockContentTypeSniffingEnabled</param-name>
 	    <param-value>true</param-value>
    </init-param>  
    <init-param>
	    <param-name>xssProtectionEnabled</param-name>
    	<param-value>true</param-value>
    </init-param> 
  </filter>
  <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
to enable the built-in Tomcat mitigations.

Comments (3)

photo
1

It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.

Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:

  <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>DENY</param-value>
    </init-param>
    <init-param>
   		<param-name>hstsEnabled</param-name>
  		<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>hstsIncludeSubDomains</param-name>
    	<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>antiClickJackingEnabled</param-name>
    	<param-value>true</param-value>
    </init-param>     
    <init-param>
 	    <param-name>antiClickJackingOption</param-name>
	    <param-value>DENY</param-value>
    </init-param>  
  	<init-param>
	    <param-name>blockContentTypeSniffingEnabled</param-name>
 	    <param-value>true</param-value>
    </init-param>  
    <init-param>
	    <param-name>xssProtectionEnabled</param-name>
    	<param-value>true</param-value>
    </init-param> 
  </filter>
  <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
to enable the built-in Tomcat mitigations.

photo
1

I don't see that with my tomcat version - 7.0.42 .. can I just add it?


 <filter>         <filter-name>httpHeaderSecurity</filter-name>         <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>         <async-supported>true</async-supported>     </filter> -->   <!-- The mapping for the HTTP header security Filter --> <!--     <filter-mapping>         <filter-name>httpHeaderSecurity</filter-name>         <url-pattern>/*</url-pattern>         <dispatcher>REQUEST</dispatcher>     </filter-mapping> -->

photo
1

Hi Dave,

Thanks for reaching out with your inquiry. You are correct, simply add the snippet as pictured. I recommend adding this directly before the closing </web-app> tag at the bottom of the web.xml file. This change will also require restarting the Tomcat / Yellowfin service. If you have any problems don't hesitate to submit a private ticket for direct assistance.

Best Regards,

Ryan

Comments have been locked on this page!