Clickjacking Prevention in Tomcat

Yellowfin FAQ shared this question 1 year ago
Answered

We've recently had a result on our security scan that Yellowfin / Tomcat is possibly vulnerable to Clickjacking.


What modifications can we make to the Tomcat configuration to mitigate this?

Best Answer
photo

It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.

Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:

  <filter>
    <filter-name>BrowserHeaderFilter</filter-name>
    <filter-class>com.hof.servlet.BrowserHeaderFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>BrowserHeaderFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>DENY</param-value>
    </init-param>
    <init-param>
   		<param-name>hstsEnabled</param-name>
  		<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>hstsIncludeSubDomains</param-name>
    	<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>antiClickJackingEnabled</param-name>
    	<param-value>true</param-value>
    </init-param>     
    <init-param>
 	    <param-name>antiClickJackingOption</param-name>
	    <param-value>DENY</param-value>
    </init-param>  
  	<init-param>
	    <param-name>blockContentTypeSniffingEnabled</param-name>
 	    <param-value>true</param-value>
    </init-param>  
    <init-param>
	    <param-name>xssProtectionEnabled</param-name>
    	<param-value>true</param-value>
    </init-param> 
  </filter>
  <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
to enable the built-in Tomcat mitigations.

Comments (1)

photo
1

It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.

Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:

  <filter>
    <filter-name>BrowserHeaderFilter</filter-name>
    <filter-class>com.hof.servlet.BrowserHeaderFilter</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>BrowserHeaderFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

  <filter>
    <filter-name>httpHeaderSecurity</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <async-supported>true</async-supported>
    <init-param>
        <param-name>antiClickJackingOption</param-name>
        <param-value>DENY</param-value>
    </init-param>
    <init-param>
   		<param-name>hstsEnabled</param-name>
  		<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>hstsIncludeSubDomains</param-name>
    	<param-value>true</param-value>
    </init-param>
    <init-param>
	    <param-name>antiClickJackingEnabled</param-name>
    	<param-value>true</param-value>
    </init-param>     
    <init-param>
 	    <param-name>antiClickJackingOption</param-name>
	    <param-value>DENY</param-value>
    </init-param>  
  	<init-param>
	    <param-name>blockContentTypeSniffingEnabled</param-name>
 	    <param-value>true</param-value>
    </init-param>  
    <init-param>
	    <param-name>xssProtectionEnabled</param-name>
    	<param-value>true</param-value>
    </init-param> 
  </filter>
  <filter-mapping>
        <filter-name>httpHeaderSecurity</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
    </filter-mapping>
to enable the built-in Tomcat mitigations.