Project

General

Profile

Bug #14648

Nessus reports Clickjacking vulnerability

Added by Brian Shaw about 6 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Installer
Target version:
Difficulty:
medium
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

When scanning our environment with Nessus, the report came back that our Katello servers are vulnerable to Clickjacking on the URLs listed below:

http://<capsule server>/pub/
https://<capsule server>/pub/
https://<capsule server>/
https://<capsule server>:8443/pub/

Is it possible to add a X-Frame-Options response header in all content responses? If so, where should this be done at?

Thanks for any help you can give with this.

Brian

History

#1 Updated by Dominic Cleal about 6 years ago

  • Project changed from Foreman to Katello
  • Category deleted (Web Interface)

#2 Updated by Justin Sherrill almost 6 years ago

  • Tracker changed from Support to Bug
  • Category set to Installer
  • Status changed from New to Need more information
  • Difficulty set to medium

Likely you'd just add

Header always append X-Frame-Options SAMEORIGIN

to /etc/httpd/conf.d/05-foreman-ssl.conf

and bounce apache. We should add this to the installer. Does this make Nessus happy?

#3 Updated by Justin Sherrill almost 6 years ago

  • Legacy Backlogs Release (now unused) set to 166

#4 Updated by Justin Sherrill almost 6 years ago

  • Status changed from Need more information to Rejected

Also available in: Atom PDF