Reset Search



KB45721 - ICS: X-Frame-Option Header not available in HTTPS 404 response

« Go Back


Last Modified Date1/23/2023 4:39 PM
This article confirm X-Frame Option is not mandatory for ICS 404 response
Problem or Goal
During vulnerability assessment on ICS, we would see X-Frame Option header not present for 404 response.
KB45328 describes on how to defend PCS against click-jacking. Enabling X-Frame-Options Protection in ICS under: System >  Configuration > Security > Miscellaneous > X-Frame-Options protection will enable the X-Frame header for all the ICS generated pages. Inspite of having it enabled, we would not be able to find the header for 404 response.

ICS default 404 Page is hard-coded in ICS and does not contain any content which can lead to clickjacking risk. Likewise, it is impossible to customize the 404 response page. Hence, it was made as "Not Mandatory" to have X-Frame-Options header for the 404 response URL.

If you need the X-Frame-Options as a "Mandatory" as per individual company security policy, then we have an alternative option to make ICS respond with X-Frame in 404 response header. Under System >> Configuration >> Security >> Advanced >> Custom HTTP Headers configure X-Frame-Options with SAMEORIGIN >> Add and Save changes:

User-added image

Above custom option will enforce ICS to send X-Frame Option header in 404 response.

Related Links
Attachment 1 
Created ByMalcolm Stephen



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255