Jump to content
Welcome to our new Citrix community!

Resources to solve CWE-693 for Citrix Storefront

Pearson VUE ATS

Recommended Posts

During a security scan they identified Citrix Storefront in violation of CWE-693 at the IIS level.  The recommended fix is to add X-frame-Options within the site  in IIS.   When this is implemented StoreFront throws an internal 500 Error, site functions if this is removed.   The articles I've found to implement a fix are around Netscaler.  We are running StoreFront, Version:, running on Windows 2012 R2.


Any recommendations to address this in StoreFront or a better source of information to fix it there.


Thanks in advance.

Link to comment
Share on other sites

So think I'll follow https://support.citrix.com/article/CTX236508 and looks like I'll only need to run the following as it notes in the article to only add what is missing:


add rewrite action insert_x-frame-options_act insert_http_header X-Frame-Options "\"SAMEORIGIN\""


add rewrite policy insert_x-frame-options_pol "is_management_ip && http.RES.HEADER(\"X-Frame-Options\").EXISTS.NOT" insert_x-frame-options_act


bind rewrite global insert_x-frame-options_pol 4 next -type RES_DEFAULT


Apologize for the newbie like state here, but want to ensure I'm reading this correctly.


Thanks in advance

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...