Forum Discussion

Jake_N's avatar
Jake_N
Mentor
8 years ago

Stop Click-jacking Security

Hey Everyone,

I am posting this before I raise a support ticket wondering if I am able to stop other domains from loading my communities content/page in an iframe.

I have had a look around and can find reference to ActiveCast widgets and disabling/enabling CSP (Content Security Policy).

 

I know that I need to enable/add either or both of the below:

  • Content-Security-Policy: frame-ancestors 'none';
  • X-Frame-Options

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

 

Any help would be appreciated or just let me know if I should raise a ticket.

  • Hi Jake_N,

     

    Yes, if you reach out to support we can enable it. I've actually gone ahead and enabled it for your community live.

4 Replies

  • Interesting topic, can't really help you out with any information though but would definitely be interested in the answer from support if you open a case =), please re-post if you get one!

  • KrisS's avatar
    KrisS
    Khoros Alumni (Retired)
    8 years ago

    Hi Jake_N,

     

    Yes, if you reach out to support we can enable it. I've actually gone ahead and enabled it for your community live.

  • GlennD's avatar
    GlennD
    Maven
    7 years ago

    Hi KrisS

    Is this a site-wide setting or can it be enabled for specific pages/elements?

    Thanks

    Glenn

  • KrisS's avatar
    KrisS
    Khoros Alumni (Retired)
    7 years ago

    GlennD it covers the entire community. If the concern is external pages, we do have the option to white list FQDNs.