Clickjacking is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer when they click on seemingly innocuous web pages.
A Clickjack takes the form of an embedded code or a script that executes without the user's knowledge i.e. clicking on a button performs another function.
To configure an Internet Information Services (IIS) server:
- On the OSCE server, open Command Prompt with administrative privilege.
- Execute the following command:
“C:\Windows\System32\inetsrv\appcmd.exe\" set config "OfficeScan" -section:httpProtocol "/+customHeaders.[name='X-Frame-Options',value='SAMEORIGIN']”
- Close the command window.
To configure an Apache server:
- On the OSCE server, open the httpd.conf file in the PCCSRV\Apache2\conf directory.
- Add the following information into the httpd.conf file:
#set up response header
Header always append X-Frame-Options SAMEORIGIN
Header set Content-Security-Policy "default-src 'self'"
- Save and close the httpd.conf file.
- Restart Apache2.2 service.