Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

AppScans report displays Clickjacking or Cross-Frame Scripting

SA-72605

Summary



Cross-Frame scripting vulnerability occurs.


Error Messages



It is possible to gather sensitive information about the web application such as usernames, passwords, machine name and/or sensitive file locations


Steps to Reproduce



Run the Security scanner.


Root Cause



Content-Security-Policy and X-Frame-Options were not defined on the target URL.


Resolution



Perform the following local-change:

Provide the DSS as below:

Pega-RuleEngine 
http/responseHeaders
{"X-Frame-Options":"SAMEORIGIN", "Content-Security-Policy": "frame-ancestors 'self';"}


 

Tags:

Pega Platform 7.2.2 Pega Platform Platform

Published March 8, 2019 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us