Return
-
Title
Preventing the Web Interface from being run in a Frame -
Description
Active Roles Server 6.7 and 6.8 Web Interfaces fully support being run in an HTML iframe as a feature. This can mean that a security audit may determine that the Web Interface is vulnerable to a Cross-Frame Scripting (XFS) exploitation. -
Resolution
In order to prevent an XFS exploitation, insert the following into the web.config file used by all Web Interface sites:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>With Active Roles Server 6.7, for example, this file is located at C:\Program Files\Quest Software\ActiveRoles Server\Web Interface 6.7\6.7.0\Public\web.config