How to prevent clickjacking issue in CF

Abdul L Koyappayil wrote: I created a cfm template with below contents to test clickjacking issue. <html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p> <iframe src="https://abcd.rw.xyz.com/mer/nao/app_v4/" width="500" height="500"></iframe> </body> </html> And when I executed this template I was able to click on the "iframe" part. Which indicates that there is a clickjacking issue.Right??.

Right, potentially. However, the question only makes sense if https://abcd.rw.xyz.com/mer/nao/app_v4/ is in your site. For example, if you replace that URL with http://www.google.com, you will find that no content will be displayed. You can interpret this to mean that Google has taken some precautions against clickjacking. I will therefore assume that the site you wish to protect is your own.

Clickjacking involves at least 3 parties: you (the Coldfusion site you wish to protect), the clickjacker (the foreign site that intends using the malicious frames) and the client (the initial target or victim, usually the browser). The attacker's aim is to manipulate the browser into an illegitimate interaction with your site. As the browser is where the vulnerability is, it is also where the defence has to be. That defence is in a form that all browsers understand: headers or Javascript.

Coldfusion has a new security setting especially to counteract clickjacking. It is configured in /WEB-INF/web.xml, and enables ColdFusion to send X-Frame-Options headers to the browser. As the documentation shows, you can enable it on the whole site, or on a per-mapping basis.  For example, the following filter will prevent the kind of clickjacking you mention, for every request to your site:

<filter-mapping>

<filter-name>CFClickJackFilterDeny</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

You could alternatively use Javascript on the pages you wish to protect. For examples, check out the Wikipedia on Framekillers.