[GeoNode-users] GeoServer X-Frame Options

Ramesh De Silva desilvarami at gmail.com
Wed Mar 29 20:30:27 PDT 2023


Thank you for the instructions Giovanni. I have successfully configured
X-Frame Options now. Though GeoServer official documentation explains the
process, it does not provide a sample code. I tried a couple of such code
blocks from different internet sources without success. Finally I found the
following, which worked smoothly and I wish to share the same, as it may be
useful for someone who is searching for sample code to implement this
feature.

















*<filter>    <filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
  <async-supported>true</async-supported>    <init-param>
<param-name>antiClickJackingEnabled</param-name>
<param-value>true</param-value>    </init-param>    <init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>DENY</param-value>    /init-param></filter> <filter-mapping>
  <filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern></filter-mapping>*

Kind regards
Ramesh

On Wed, Mar 29, 2023 at 6:28 PM Giovanni Allegri <
giovanni.allegri at geosolutionsgroup.com> wrote:

> You could try setting the configuration
> <https://docs.geoserver.org/latest/en/user/production/config.html#x-frame-options-policy>
> in /usr/local/tomcat/webapps/geoserver/WEB-INF/web.xml inside the GeoServer
> container, and then restart Tomcat (catalina.sh stop; catalina.sh atart).
>
> Giovanni
>
> Giovanni
>
> On Tue, Mar 28, 2023 at 6:51 AM Ramesh De Silva <desilvarami at gmail.com>
> wrote:
>
>> Hi,
>>
>> To protect against clickjacking attacks, X Frame option is set to
>> "SAMEHOST" in both GeoNode and GeoServer. I checked the Stable Demo GeoNode
>> and it is accordance with this. But in my local GeoNode, only GeoNode URLs
>> show the X-Frame header but not the GeoServer URLs. Please see the attached
>> image.
>> Can someone provide a guide to set the X Frame options in geoserver
>> container or possible reason for above behavior.
>>
>> Thank you.
>>
>> Kind Regards
>> Ramesh
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>>
>
>
> --
>
> ==
>
> GeoServer Professional Services from the experts!
>
> Visit http://bit.ly/gs-services-us for more information.
> ==
>
> Dott. Giovanni Allegri
>
> Technical Lead / Project Manager
>
>
> GeoSolutions Group
> phone: +39 0584 962313
> cell:     +39 345 2815774
>
> fax:      +39 0584 1660272
>
> https://www.geosolutionsgroup.com/
> http://twitter.com/geosolutions_it
> -------------------------------------------------------
>
> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
> precisa che ogni circostanza inerente alla presente email (il suo
> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>
> This email is intended only for the person or entity to which it is
> addressed and may contain information that is privileged, confidential or
> otherwise protected from disclosure. We remind that - as provided by
> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
> e-mail or the information herein by anyone other than the intended
> recipient is prohibited. If you have received this email by mistake, please
> notify us immediately by telephone or e-mail.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20230330/7a4d9420/attachment.htm>


More information about the geonode-users mailing list