Add X-Frame-Options and frame-ancestors options

These two options allow preventing clickjacking attacks. They don't allow open FreeIPA in frame, iframe or object element. https://fedorahosted.org/freeipa/ticket/4631 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
author: Pavel Vomacka <pvomacka@redhat.com> 2016-03-10 18:32:50 +0100
committer: Petr Vobornik <pvoborni@redhat.com> 2016-04-15 15:44:44 +0200
commit: 6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb (patch)
tree: e405772d36a681104bacf08bcaf25c165c434c3a /install/conf
parent: c06117279212ec3f76762c633c0215c6d8a377e8 (diff)
download: freeipa-6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb.tar.gz
freeipa-6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb.tar.xz
freeipa-6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 8d4fea35e..cf10fc815 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 19 - DO NOT REMOVE THIS LINE
+# VERSION 20 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -71,6 +71,8 @@ WSGIScriptReloading Off
   ErrorDocument 401 /ipa/errors/unauthorized.html
   WSGIProcessGroup ipa
   WSGIApplicationGroup ipa
+  Header always append X-Frame-Options DENY
+  Header always append Content-Security-Policy "frame-ancestors 'none'"
 </Location>
 
 # Turn off Apache authentication for sessions
author	Pavel Vomacka <pvomacka@redhat.com>	2016-03-10 18:32:50 +0100
committer	Petr Vobornik <pvoborni@redhat.com>	2016-04-15 15:44:44 +0200
commit	6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb (patch)
tree	e405772d36a681104bacf08bcaf25c165c434c3a /install/conf
parent	c06117279212ec3f76762c633c0215c6d8a377e8 (diff)
download	freeipa-6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb.tar.gz freeipa-6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb.tar.xz freeipa-6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb.zip