Agents
Clickjacking Prevention in Tomcat
Answered
We've recently had a result on our security scan that Yellowfin / Tomcat is possibly vulnerable to Clickjacking.
What modifications can we make to the Tomcat configuration to mitigate this?
The same question
It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.
Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>to enable the built-in Tomcat mitigations.It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.
Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>to enable the built-in Tomcat mitigations.It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.
Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>to enable the built-in Tomcat mitigations.It's possible to enable the Tomcat antiClickjacking options for this purpose. Tomcat has built in configuration options for this that can be enabled without affecting Yellowfin functionality.
Add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> block:
<filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>DENY</param-value> </init-param> <init-param> <param-name>blockContentTypeSniffingEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>xssProtectionEnabled</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> </filter-mapping>to enable the built-in Tomcat mitigations.I don't see that with my tomcat version - 7.0.42 .. can I just add it?
I don't see that with my tomcat version - 7.0.42 .. can I just add it?
Hi Dave,
Thanks for reaching out with your inquiry. You are correct, simply add the snippet as pictured. I recommend adding this directly before the closing </web-app> tag at the bottom of the web.xml file. This change will also require restarting the Tomcat / Yellowfin service. If you have any problems don't hesitate to submit a private ticket for direct assistance.
Best Regards,
Ryan
Hi Dave,
Thanks for reaching out with your inquiry. You are correct, simply add the snippet as pictured. I recommend adding this directly before the closing </web-app> tag at the bottom of the web.xml file. This change will also require restarting the Tomcat / Yellowfin service. If you have any problems don't hesitate to submit a private ticket for direct assistance.
Best Regards,
Ryan
Replies have been locked on this page!