要約

Customers may have to set the HTTP header X-Frame-Options  SAMEORIGIN  in Fisheye / Crucible and may think this is configurable in Jetty application server side of things.

環境

< 4.0

原因

Customers may want to set this HTTP header in order to prevent Clickjacking vulnerability.

ソリューション

Starting with Fisheye/Crucible 4.0, the X-Frame-Options header settings have a default value of SAMEORIGIN. If you need to modify this value, please be aware that the HTTP headers are not adjustable directly within Fisheye/Crucible. Instead, adjustments can be made at the proxy level, and the proxy settings need to be configured in Fisheye web server afterwards.

How to configure the header at proxy level depends on which proxy solution is being used. Below are implementation examples for Apache HTTP Server and Nginx:

Apache HTTP Server:

1. Edit Apache configuration file based on your operating system. The configuration file can be found here:
   

   Debian based systems: /etc/apache2/conf-enabled/security.conf 
   RedHat based systems: /etc/httpd/conf/httpd.conf 

2. Now add one of the following entry to file so as to allow for Same Origin:
   

   Header set X-Frame-Options: "SAMEORIGIN"

3. Save the configuration file and restart Apache service to apply changes.

Nginx:

1. Go to where Nginx is installed and then a conf folder
2. Take a backup before modifying

3. Add the following parameter in nginx.conf under server section

   add_header X-Frame-Options "SAMEORIGIN";

4. Restart Nginx webserver