KB45721 - ICS: X-Frame-Option Header not available in HTTPS 404 response

This article confirm X-Frame Option is not mandatory for ICS 404 response

During vulnerability assessment on ICS, we would see X-Frame Option header not present for 404 response.

KB45328 describes on how to defend PCS against click-jacking. Enabling X-Frame-Options Protection in ICS under: System >  Configuration > Security > Miscellaneous > X-Frame-Options protection will enable the X-Frame header for all the ICS generated pages. Inspite of having it enabled, we would not be able to find the header for 404 response.


 

ICS default 404 Page is hard-coded in ICS and does not contain any content which can lead to clickjacking risk. Likewise, it is impossible to customize the 404 response page. Hence, it was made as "Not Mandatory" to have X-Frame-Options header for the 404 response URL.

If you need the X-Frame-Options as a "Mandatory" as per individual company security policy, then we have an alternative option to make ICS respond with X-Frame in 404 response header. Under System >> Configuration >> Security >> Advanced >> Custom HTTP Headers configure X-Frame-Options with SAMEORIGIN >> Add and Save changes:
 

Above custom option will enforce ICS to send X-Frame Option header in 404 response.