3/13/24, 2:27 PM Document 2040420.

1
PoweLast Login: March 13, 2024 11:48 AM AST Switch to Cloud Support abdul (Available) (0) Contact Us Help

Dashboard Knowledge Service Requests Patches & Updates Community

Give Feedback...
Copyright (c) 2024, Oracle. All rights reserved. Oracle Confidential.

How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts Using OHS and WLS Applications To Bottom
(Doc ID 2040420.1)

In this Document Was this document helpful?

Goal Yes
No
General Use Case to Configure X-Frame-Options Header to Mitigate Clickjacking Attempts
Solution
Document Details
How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts Using OHS and WLS Applications
1. Disable/Replace the OHS/WLS Default Welcome Page
Type:
2. Using Oracle ADF Applications (with Weblogic Server) Status: HOWTO
Last Major PUBLISHED
3. If Not Using Oracle ADF Applications (with WebLogic Server) May 30, 2022
Update:
Oracle Forms Last May 31, 2023
Update: English
Oracle HTTP Server Option
Language:
Oracle Built Applications Where X-Frame-Options SAMEORIGIN is Not Set
Quick Test to Verify Any Page
Related Products
References
Oracle HTTP Server
Oracle Fusion Middleware
Oracle WebLogic Server
APPLIES TO:
Information Centers
Oracle HTTP Server - Version 11.1.1.2.0 and later
Oracle Fusion Middleware - Version 11.1.1.2.0 and later Information Center: Oracle
HTTP Server [2272366.2]
Oracle WebLogic Server - Version 10.3.2 and later
Information in this document applies to any platform. Get Proactive with Fusion
- This concept applies to all versions Middleware : Find Product
Certifications [1532687.2]

Information Center: Oracle

Fusion Middleware 12c
GOAL [2274249.2]

Information Center: Oracle

General Use Case to Configure X-Frame-Options Header to Mitigate Clickjacking Attempts Fusion Middleware 11g
[945741.2]
X-Frame-Options is a server-side method of combating clickjacking -- see Information Center: Oracle
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet or http://en.wikipedia.org/wiki/Clickjacking for more Application Server 10g
information on both. Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent [1302699.2]
or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, Show More
the attacker is "hijacking" clicks meant for one page and routing the user to an illegitimate page.

Web site administrators should take precautions to protect your web pages from clickjacking attempts. Clickjacking is not a Document References
security issue unique to Oracle HTTP Server or Oracle Weblogic Server. This is an issue that concerns any server that serves up Can X-Frame-Options HTTP
web pages. Header be Enabled in Oracle
WebLogic Server to Mitigate
Clickjacking [1558254.1]
A common method considered clickjacking is to use the HTML iframe feature to embed another server's page within a given
site's page. Note this is not a bad thing in itself. It is used for many good purposes as an HTML feature to create an integrated Security Vulnerability FAQ for
experience. The objection occurs when a third-party site includes details surrounding the displayed iframe to trick a user. Or, Oracle Fusion Middleware
Products [1074055.1]
they simply have no permission to include your page within theirs. The question is, how to prevent this?

Recently Viewed

SOLUTION Oracle HTTP Server

Recommendations to
Prevent Cross-Site Scripting
How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts Using OHS and WLS (XSS) Attacks [2370975.1]
Applications Does Oracle HTTP Server
Support Content Security
There are three initial considerations to mitigate clickjacking with the X-Frame-Options option with Oracle HTTP Server (OHS) or Policy (CSP) Content-
Security-Policy-Report-Only
Oracle WebLogic Server (WLS):
Header and report-uri
Header Value [2698559.1]
iProcurement Punchout Error
1. Weblogic Server default Welcome page which should not be in production use : Invalid Redirect Has Been
Blocked [2288337.1]
2. Using Oracle Application Development Framework (ADF) applications (with WLS) FAQ: Oracle E-Business Suite
Security [2063486.1]
3. Not using Oracle Application Development Framework (ADF) applications (with OHS or WLS) 12.2.6 Reset Password
Options: Generate

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=280028373189439&parent=DOCUMENT&sourceId=2698559.1&id=2040420.1&… 1/4
3/13/24, 2:27 PM Document 2040420.1
Automatically and Enter
Manually Options Are
Missing In User Management
> Users Page [2260179.1]
1. Disable/Replace the OHS/WLS Default Welcome Page Show More

A default page does not typically have X-Frame-Options, especially on WebLogic Server. A scan may be detecting the default
welcome page as the culprit without being clear on your actual application.

If you have not replaced this, you should address this on production systems using the following:

Note 1509213.1, "How To Disable the Oracle WebLogic Server Default Welcome Page"
Note 1055862.1, "How To Change The Default Home Page Of The HTTP Server to Custom Page"

2. Using Oracle ADF Applications (with Weblogic Server)

A question to ask is if the application is an Oracle-built application or a custom application? Application developers should be
setting desired headers within the application, although webserver administration does allow setting on the http server level.
Oracle recommends setting this within any customer application therefore any Oracle-built application should also be doing so.

See how the ADF FRAME_BUSTING context parameter prevents clickjacking by default:

Developing Web User Interfaces with Oracle ADF Faces (12.2.1.4)

https://docs.oracle.com/en/middleware/developer-tools/adf/12.2.1.4/develop-faces/index.html

See this section ---> What You May Need to Know About ADF Faces Context Parameters in web.xml
Framebusting
https://docs.oracle.com/en/middleware/developer-tools/adf/12.2.1.4/develop-faces/adf-faces-
configuration.html#GUID-4436E27E-8F40-4B20-8A8E-511CC4BA3F39

Oracle Fusion Middleware Web User Interface Developer's Guide for Oracle Application Development Framework
(11.1.1.9)
https://docs.oracle.com/middleware/11119/adf/develop-faces/toc.htm

See this section ---> A.2.3.15 Framebusting

https://docs.oracle.com/middleware/11119/adf/develop-faces/ap_config.htm#BABDHGEJ

A summary, including a change through the releases:

The FRAME_BUSTING context parameter has different options which you may adjust according to your requirements. When
using a secure setting, there would be an error and redirect when frames are detected or only when there is an attempt to run a
frame on a page that originates in a different domain.

An older oracle.adf.view.rich.security.FRAME_BUSTING has default setting of "differentDomain"

A newer org.apache.myfaces.trinidad.security.FRAME_BUSTING has a default setting of "differentOrigin"
It is important to note if "Test Automation" is enabled, this security feature will be disabled. Refer to the above
documentation about these settings.

Unless you want to restrict all use of iframes, (and have no applications using iframes), the default "differentOrigin" or
"differentDomain" options are considered secure by setting the X-Frame-Options header to SAMEORIGIN. In other words,
only bust frames if the ancestor window origin (protocol, host, and port) and the frame origin are different. If the ancestor
windows and frame have the same origin, then allow the content to run in a frame. This is an extra built-in security feature that
allows you to develop applications using iframe features and remain on your server as intended.

Some Oracle-built applications use iframe features and should be inheriting this setting by default. This setting is generally
accepted as secure but allows functionality on your site, within your domain. It is from other domains where clickjacking may
impose a negative impact.

It is suggested to use various http header tools to check your X-Frame-Options value when accessing an application.

For example:
Enterprise Manager Fusion Middleware Control (/em) is an ADF application built by Oracle using ADF and does have the
proper settings to prevent clickjacking attempts from a different domain since the "X-Frame-Options: sameorigin" header is
passed (from the application). This is considered a secure configuration when the application is accessed directly on
WebLogic Server (without a proxy where extra headers could be a factor).

Important: oracle.adf.view.rich.security.FRAME_BUSTING is deprecated (see the older docs), and should be switched to
using org.apache.myfaces.trinidad.security.FRAME_BUSTING for 11.1.1.9 and 12c releases. See the above documentation links
for a further use.

Any Oracle-built applications using the older context parameter or insecure defaults should be updated via newer
releases or a patch for releases that are still under error correction support.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=280028373189439&parent=DOCUMENT&sourceId=2698559.1&id=2040420.1&… 2/4
3/13/24, 2:27 PM Document 2040420.1

3. If Not Using Oracle ADF Applications (with WebLogic Server)

If an application is not built with ADF, then application developers need to take steps to set this header in their code.

Older applications may not have this, the following are known updated applications built by Oracle:

Oracle Weblogic Server Console (/console) has the "X-Frame-Options: deny" header passed beginning with PSU
10.3.6.0.12.
Dynamic Monitoring Service /dms has "X-Frame-Options: sameorigin" header passed beginning with 11.1.1.9 and
12c releases.

There are options to mitigate clickjacking on an http server using the X-Frame-Options header for applications written by
Oracle and deployed to WebLogic Server.

Oracle Weblogic Server does not have an option to set this header for all applications as per:

Note 1558254.1, "How Can X-Frame-Options Be Enabled in the WebLogic Server Embedded Web Server?"

By applying the PSU you can ensure this is set for the WLS Console.

Oracle Forms

See the following for Oracle Forms:

Note 2618865.1 How to Configure an X-Frame-Options Header in Forms

Oracle HTTP Server Option

Oracle HTTP Server (OHS) can be configured to send the X-Frame-Options header.

In the httpd.conf:

Header always append X-Frame-Options SAMEORIGIN

Notes:

For OHS 11g and 12c, this is based on Apache documentation at

https://httpd.apache.org/docs/2.4/mod/mod_headers.html#header

This may not be the most reliable method at the proxy level. Oracle recommends that this be controlled at an application
level to secure your applications.

Your applications, including some Oracle products, may use the iframe feature for legitimate reasons. If setting to DENY,
you may lose intended functionality. The use of SAMEORIGIN is considered secure because you have control within your
same domain to implement iframe features to enhance your application.

The above is a recommended minimal setting, but there are three possible values for X-Frame-Options you may choose
from:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin domain as the page itself.
ALLOW-FROM <provide url>
The page can only be displayed in a frame on the specified origin page indicated.

Note: ALLOW-FROM is an obsolete directive that no longer works in modern browsers,

reference https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Update for OHS 12.2.1.4 and 12.2.1.3:

Administering Security for Oracle HTTP Server

X-Frame-Options Header to Mitigate Clickjacking Attempts

While the above "always append" can be used, it is still expected that an application is setting this. For this consideration,
and to avoid possible overwriting of an application's custom values, you can also use the setifempty option:

Header setifempty X-Frame-Options SAMEORIGIN

It is also recommended to apply the latest security patches:

Doc ID 2806740.2 Critical Patch Update (CPU) Patch Advisor for Oracle Fusion Middleware

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=280028373189439&parent=DOCUMENT&sourceId=2698559.1&id=2040420.1&… 3/4
3/13/24, 2:27 PM Document 2040420.1
- Direct links: OHS 12.2.1.4 OHS 12.2.1.3

Oracle Built Applications Where X-Frame-Options SAMEORIGIN is Not Set

Oracle-built applications should have a minimal value of SAMEORIGIN for the X-Frame-Options without a need to configure OHS
(or Apache). Exceptions may be older applications built before it was required. Configuring OHS may be used as a workaround
but any application still under error correction support should have a Bug filed to report the issue and ensure it is fixed going
forward. Before reporting an issue, ensure the latest CPU/PSU patches are applied as issues such as this would be included and
may not be documented.

Quick Test to Verify Any Page

To verify if a page can be included within another, you can use the following test before and after configuration or patching:

1) Use the following as test.html and place it on a server on a separate domain:

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is may be subject to clickjacking!</p>
<iframe src="http://<another_url_on_another_server_you_configured>" width="500" height="500"></iframe>
</body>
</html>

Notes:

If you do not have a server on a separate domain available, placing it on the desktop and opening it from there
will accomplish the same.
Replace the iframe src with a valid URL on another server you want to protect.
The server running test.html is referred to as the origin server.
The server within the iframe src is referred to as the target server, in this case, the one where X-Frame-Options
will need to be set.

2) Call the above page (or you can just open it on a desktop) and see if the iframe page is included.

3) Accessing each page individually, use an http header tool available on the internet to see if X-Frame-Options header is
set.

4) If X-Frame-Options header is not as desired, follow the steps from this document and test again.

5) Some browsers may react differently and block attempts to embed a page, especially if the page is a full-blown
application resulting in a nesting effect. Test different scenarios and check the headers on each individual page to be
conclusive of your result. Note this is not direct server-side protection, the server is sending the X-Frame-Options header as
instructions to the client who supports iframes to follow.

REFERENCES

NOTE:1558254.1 - Can X-Frame-Options HTTP Header be Enabled in Oracle WebLogic Server to Mitigate Clickjacking?
NOTE:1074055.1 - Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products
Didn't find what you are looking for? Ask in Community...

Related
Products
Middleware > Application Servers > Oracle Application Server > Oracle HTTP Server
Middleware > Application Servers > Oracle Application Server > Oracle Fusion Middleware
Middleware > Application Servers > Weblogic Server > Oracle WebLogic Server

Keywords
ADF; HEADER; HTML; HTTP; IFRAME; LINK; SECURE; SECURITY; WEBLOGIC; WEBSITE
Translations
English Source Japanese 日本語

Back to Top
Copyright (c) 2024, Oracle. All rights reserved. Legal Notices and Terms of Use Privacy Statement

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=280028373189439&parent=DOCUMENT&sourceId=2698559.1&id=2040420.1&… 4/4