Question & Answer
Question
After a security scan on the Inspector or webreport UI, our scan revealed a vulnerability to Clickjacking by using the X-Frame-Options header. The guidance was along the lines of: "To protect against Clickjacking, it is recommended that any page that contains forms which require a user to enter sensitive information use the X-Frame-Options header set to either DENY or SAMEORIGIN."
Cause
There are three possible values for the X-Frame-Options header:
1. DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.
2. SAMEORIGIN, which only allows the current site to frame the content.
3. ALLOW-FROM uri, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com) Check Limitations Below this will fail open if the browser does not support it.
Answer
We use our own security scan, AppScan in Application mode and this is not treat this as a vulnerability there. Some customer use iframe to integrate Inspector with their own portal and so, we do not disable it by default. If you would like to have that, it should be an enhancement request. Link to RFE Community: http://www.ibm.com/developerworks/rfe/
Creating and Managing Enhancement Requests: http://www-01.ibm.com/support/docview.wss?uid=swg21298482
Product Synonym
MDM;MDM AE;MDM SE;Master Data Management;Master Data Management Advanced Edition;Master Data Management Standard Edition;Hybrid Master Data Management;hybrid MDM;virtual MDM;virtual Master Data Management;physical MDM;physical Master Data Management
Was this topic helpful?
Document Information
Modified date:
27 April 2022
UID
swg21988481