Jump to content
Welcome to our new Citrix community!

ClickJacking Policy

Sudhir Bhagat

Recommended Posts



We have requirement to configure CLICKJACKING on Netscaler ADC for below condition. 


When HTTP Response -    if "xyz.co" HTTP header exists then replace the header X-Frame-Options as "DENY". 


Here xyz.co can be a IP address also.


Referring some articles , however not able to find the relevant one, but noticed a common thing that all those articles referring or relating X-Frame-Option with Citrix gateway. However in our scenario we are having normal load-balancing virtual server.

Link to comment
Share on other sites

Hi sudhir,

if I understand your requirement correct, you would like to replace the X-Frame-Options Header with DENY. This should happen when Domain "xyz.co" or a specified IP Address is called.


If you have more than a few Domains or IP Addresses, you can use a patternset. I think this patternset could include both, otherwise we have to create a second one and change the Expressions.


1. Create Patternset:

add policy patset pattset_HTTP_HEADER_X_Frame_Options_DENY
bind policy patset pattset_HTTP_HEADER_X_Frame_Options_DENY www.mydomain.com -index 1
bind policy patset pattset_HTTP_HEADER_X_Frame_Options_DENY -index 2


2. Create Rewrite Action and Rewrite Policy - used when the X-Frame-Options Header already exists and when the requested Domain/IP is found in the Patternset:

add rewrite action act_rw_REPLACE_HTTP_HEADER_X-Frame-Options_DENY replace "HTTP.REQ.HEADER(\"X-Frame-Options\")" "\"DENY\""
add rewrite policy pol_rw_REPLACE_HTTP_HEADER_X-Frame-Options_DENY "HTTP.REQ.HOSTNAME.EQUALS_ANY(\"pattset_HTTP_HEADER_X_Frame_Options_DENY\") && HTTP.REQ.HEADER(\"X-Frame-Options\").EXISTS" act_rw_REPLACE_HTTP_HEADER_X-Frame-Options_DENY


3. Create Rewrite Action and Rewrite Policy - used when the X-Frmae-Options Header doesn´t exist and when the requested Domain/IP is found in the Patternset. This will catch responses where the backend doesn´t send the Header because of misconfiguration, for example:

add rewrite action act_rw_INSERT_HTTP_HEADER_X-Frame-Options_DENY insert_http_header X-Frame-Options "\"DENY\""
add rewrite policy pol_rw_INSERT_HTTP_HEADER_X-Frame-Options_DENY "HTTP.REQ.HOSTNAME.EQUALS_ANY(\"pattset_HTTP_HEADER_X_Frame_Options_DENY\") && HTTP.RES.HEADER(\"X-Frame-Options\").EXISTS.NOT" act_rw_INSERT_HTTP_HEADER_X-Frame-Options_DENY


4. Bind your Rewrite Policy(ies) to your Virtual Server or Content Switch. Give the Replace Policy a higher priority (lower number) than the Insert Policy


I didn´t test it but it should work!


Best regards,


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...