How do I set X-Frame-Options as response header in angularJS?

pix1289 picture pix1289 · Oct 26, 2016 · Viewed 27.9k times · Source

I receive the X-Frame-Options header in the response from the API, but as I understand in order to prevent the clickjacking attack I need to add it in the UI code. The UI code( written in angularjs) is deployed in Tomcat (version 7.0.72) server. I tried adding the below filters in the web.xml of my application.

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>

Yet, I can't see the headers being added. Can someone please help me figure out the solution?

Answer

pix1289 picture pix1289 · Oct 27, 2016

I found the solution. The X-Frame-Options response header needs to be added via web.xml on Tomcat server. The filter-mapping was missing in my web.xml hence the headers were not getting added. For anyone else who might face this issue, I am posting the lines from web.xml here:

<filter>
        <filter-name>httpHeaderSecurity</filter-name>
        <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
        <async-supported>true</async-supported>
        <init-param>
          <param-name>antiClickJackingEnabled</param-name>
          <param-value>true</param-value>
        </init-param>
        <init-param>
          <param-name>antiClickJackingOption</param-name>
          <param-value>DENY</param-value>
        </init-param>
    </filter>
  <filter-mapping> 
    <filter-name>httpHeaderSecurity</filter-name> 
    <url-pattern>/*</url-pattern>
</filter-mapping>
  <welcome-file-list>
      <welcome-file>index.html</welcome-file>
  </welcome-file-list>

With this, the following headers get added: • X-Frame-Options • X-Content-Type-Options • X-XSS-Protection

If you don't specify values for each of this header, the default value for each would be set. You can find the default values in Tomcat server docs.