Configuring Anti-ClickJacking Attack Protection |
To address ClickJacking issues, you can enable anti-ClickjJacking attack protection by modifying the iServer config file [SuperMap iServer installation directory]\webapps\iserver\WEB-INF\web.xml.
The configuration to enable anti-ClickJacking attack is as follows, where the filled items are default values:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>antiClickJackingEnabled</param-name>
<!-- Optional values: true and false indicate enabling and disabling anti-clickjacking protection respectively -->
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>antiClickJackingOption</param-name>
<!-- Anti-ClickJacking protection strategy, supported parameter values and corresponding strategies are as follows: 1) DENY: prohibit embedding from all domains; 2) SAMEORIGIN: allow embedding only from the same origin; 3) ALLOW-FROM uri: allow embedding only from the specified URI -->
<param-value>SAMEORIGIN</param-value>
</init-param>
<init-param>
<param-name>blockContentTypeSniffingEnabled</param-name>
<!-- Optional values: true and false indicate enabling and disabling browser MIME type sniffing prevention respectively. After enabling, the X-Content-Type-Options:nosniff header needs to be added -->
<param-value>false</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
1. To make httpHeaderSecurity truly effective, you need to define the filter and filter-mapping in web.xml; and the <filter-mapping>...</filter-mapping> has a strict execution order, the filter-mapping node corresponding to httpHeaderSecurity needs to be placed before CorsFilter.
2. After the web.xml configuration is completed, restart iServer for the changes to take effect.