Hi,

These two options allow preventing clickjacking attacks. They don't allow open FreeIPA in frame, iframe or object element.

--
Pavel^3 Vomacka
>From c5a92092d87b3afeeaae0c37ce2bf8e892b9be84 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvoma...@redhat.com>
Date: Thu, 10 Mar 2016 18:32:50 +0100
Subject: [PATCH] Add X-Frame-Options and frame-ancestors options

These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.

https://fedorahosted.org/freeipa/ticket/4631
---
 install/conf/ipa.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 8d4fea35e9c5aa15a611d90fe005090abb1d8e50..21c8c7cc8eef3195a0456630cb4e9285b2b78d69 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -35,6 +35,11 @@ AddOutputFilterByType DEFLATE text/html text/plain text/xml \
 Header unset ETag
 FileETag None
 
+# These two settings allow preventing clickjacking attacks
+# They don't allow open FreeIPA in frame, iframe or object element
+Header always append X-Frame-Options DENY
+Header always append Content-Security-Policy "frame-ancestors 'none'"
+
 # FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
 # should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
 WSGISocketPrefix /run/httpd/wsgi
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to