| *** nowen (~nowen@99-174-92-191.lightspeed.tukrga.sbcglobal.net) has joined #wikid | 12:53 | |
| *** immotus_ (~immotus@rrcs-24-153-193-34.sw.biz.rr.com) has joined #wikid | 16:35 | |
| immotus_ | PCI Compliance season for us again! I need to add an HTTP response header that makes it difficult to use the "Click Jacking" attack vector. Is there a place where I can add that for our WiKID installation (wikid-server-enterprise-3.6.0.b1659-1)? Click Jacking explanation -https://www.owasp.org/index.php/Clickjacking | 16:44 |
|---|---|---|
| immotus_ | in Apache I add the following line to the apache config file.. Header always append X-Frame-Options SAMEORIGIN | 16:48 |
| immotus_ | nevermind.. apparently I was adding it to the wrong place in the apache config that forwarded to the WiKID tomcat server | 16:53 |
| immotus_ | when i add it to /etc/httpd/conf/httpd.conf the header shows up just fine | 16:53 |
| nowen | immotus_: are you running apache on the same server as WiKID? | 16:55 |
| immotus_ | nowen: yes.. it's forwarding to WiKID.. I don't know why it was setup that way. Anyways, I see the response header now | 17:15 |
| immotus_ | nowen: apparently, if we weren't going through apache to Tomcat, the solution would involve a "servlet filter" of some sort to add the "X-Frame-Options SAMEORIGIN" response header somehow | 17:16 |
| nowen | yeah, | 17:18 |
| nowen | makes sense. | 17:18 |
| nowen | as long as you know what you're doing ;-) | 17:19 |
| immotus_ | nowen: heh :^) | 17:21 |
| nowen | biab, got to grab some lunch | 17:41 |
| *** nowen is now known as nowen_lunch | 17:41 | |
| *** nowen_lunch is now known as nowen | 18:15 | |
| *** immotus_ has parted #wikid ("Konversation terminated!") | 21:26 | |
| *** nowen has quit (Quit: Leaving.) | 22:10 | |
| *** Qasker has quit (Quit: QQQuit:) | 22:35 | |
Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!