Adobe 38043740 Lockdown Guide - Page 82
Adding ClickJacking Protection, 6.12 Security Constraints in web.xml, CFClickJackFilterDeny
UPC - 883919135168
View all Adobe 38043740 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 82 highlights
6.11 Adding ClickJacking Protection ColdFusion 10 includes two new Servlet Filters CFClickJackFilterDeny and CFClickJackFilterSameOrigin. When a URL is mapped to one of these servlets the X-Frame-Options HTTP header will be returned with a value of DENY or SAMEORGIN. You can add a filter-mapping in web.xml to enable these filters for a given URI, this functionality could also be accomplished at the web server level. 6.12 Security Constraints in web.xml The servlet container (Tomcat) can enforce certain security constraints to ensure that a given URI is secured, or to limit certain URIs to HTTP POST over a secure (SSL) connection: POST SSL POST ONLY SSL /post/* POST CONFIDENTIAL POST ONLY BLOCK NOT POST /post/* GET HEAD PUT DELETE TRACE 82
82
6.11 Adding ClickJacking Protection
ColdFusion 10 includes two new Servlet Filters
CFClickJackFilterDeny
and
CFClickJackFilterSameOrigin
. When a URL is mapped to one of these servlets the
X-Frame-Options
HTTP header will be returned with a value of
DENY
or
SAMEORGIN
. You can add a
filter-mapping
in
web.xml
to enable these filters for a given URI, this functionality could also be accomplished at the web
server level.
6.12 Security Constraints in web.xml
The servlet container (Tomcat) can enforce certain security constraints to ensure that a given URI is secured,
or to limit certain URIs to HTTP POST over a secure (SSL) connection:
<security-constraint>
<display-name>POST SSL</display-name>
<web-resource-collection>
<web-resource-name>POST ONLY SSL</web-resource-name>
<url-pattern>/post/*</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>POST ONLY</display-name>
<web-resource-collection>
<web-resource-name>BLOCK NOT POST</web-resource-name>
<url-pattern>/post/*</url-pattern>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>