Jump to content
Welcome to our new Citrix community!

ClickJacking Policy


Sudhir Bhagat

Recommended Posts

Hi, 

 

We have requirement to configure CLICKJACKING on Netscaler ADC for below condition. 

 

When HTTP Response -    if "xyz.co" HTTP header exists then replace the header X-Frame-Options as "DENY". 

 

Here xyz.co can be a IP address also.

 

Referring some articles , however not able to find the relevant one, but noticed a common thing that all those articles referring or relating X-Frame-Option with Citrix gateway. However in our scenario we are having normal load-balancing virtual server.

Link to comment
Share on other sites

Hi sudhir,

if I understand your requirement correct, you would like to replace the X-Frame-Options Header with DENY. This should happen when Domain "xyz.co" or a specified IP Address is called.

 

If you have more than a few Domains or IP Addresses, you can use a patternset. I think this patternset could include both, otherwise we have to create a second one and change the Expressions.

 

1. Create Patternset:

add policy patset pattset_HTTP_HEADER_X_Frame_Options_DENY
bind policy patset pattset_HTTP_HEADER_X_Frame_Options_DENY www.mydomain.com -index 1
bind policy patset pattset_HTTP_HEADER_X_Frame_Options_DENY 192.168.1.100 -index 2

 

2. Create Rewrite Action and Rewrite Policy - used when the X-Frame-Options Header already exists and when the requested Domain/IP is found in the Patternset:

add rewrite action act_rw_REPLACE_HTTP_HEADER_X-Frame-Options_DENY replace "HTTP.REQ.HEADER(\"X-Frame-Options\")" "\"DENY\""
add rewrite policy pol_rw_REPLACE_HTTP_HEADER_X-Frame-Options_DENY "HTTP.REQ.HOSTNAME.EQUALS_ANY(\"pattset_HTTP_HEADER_X_Frame_Options_DENY\") && HTTP.REQ.HEADER(\"X-Frame-Options\").EXISTS" act_rw_REPLACE_HTTP_HEADER_X-Frame-Options_DENY

 

3. Create Rewrite Action and Rewrite Policy - used when the X-Frmae-Options Header doesn´t exist and when the requested Domain/IP is found in the Patternset. This will catch responses where the backend doesn´t send the Header because of misconfiguration, for example:

add rewrite action act_rw_INSERT_HTTP_HEADER_X-Frame-Options_DENY insert_http_header X-Frame-Options "\"DENY\""
add rewrite policy pol_rw_INSERT_HTTP_HEADER_X-Frame-Options_DENY "HTTP.REQ.HOSTNAME.EQUALS_ANY(\"pattset_HTTP_HEADER_X_Frame_Options_DENY\") && HTTP.RES.HEADER(\"X-Frame-Options\").EXISTS.NOT" act_rw_INSERT_HTTP_HEADER_X-Frame-Options_DENY

 

4. Bind your Rewrite Policy(ies) to your Virtual Server or Content Switch. Give the Replace Policy a higher priority (lower number) than the Insert Policy

 

I didn´t test it but it should work!

 

Best regards,

Jens

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...