Support Article
AppScans report displays Clickjacking or Cross-Frame Scripting
SA-72605
Summary
Cross-Frame scripting vulnerability occurs.
Error Messages
It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations
Steps to Reproduce
Run the Security scanner.
Root Cause
Content-Security-Policy and X-Frame-Options were not defined on the target URL.
Resolution
Perform the following local-change:
Provide the DSS as below:
Pega-RuleEngine
http/responseHeaders
{"X-Frame-Options":"SAMEORIGIN", "Content-Security-Policy": "frame-ancestors 'self';"}
Published March 8, 2019 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.