Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

Clickjacking Protection in Avi Load Balancer

In Avi Load Balancer, clickjacking protection is enabled by default. Clickjacking protection can be deactivated, if required. For instance, the Horizon integration with iframes does not work with the option enabled. You can deactivate the option by logging into the Controller CLI and entering the commands shown below:

$> shell
Login: admin
Password:

: > configure systemconfiguration
: systemconfiguration> portal_configuration
: systemconfiguration:portal_configuration> no enable_clickjacking_protection
: systemconfiguration:portal_configuration> save
: systemconfiguration> save
: > exit
$>

Selective Disabling of Clickjacking Protection

Clickjacking are in many forms. One such example is when a site maliciously embeds an unsuspecting site within an iframe, effectively showing the child site through their own. Preventing this is easy enough through a few headers on the server. However, it is possible in more robust environments to require enabling iframing sometimes, but not always.

The following DataScript selectively determines if the referring site, determined by the referer header, is allowed to embed this site within an iframe. The list of allowed referers is maintained within a separate string group, which allows for an extensive, REST API updatable list without directly modifying the rule with every update.

The following example involves creating a string group, then creating the DataScript which references the string group:

String Group: Allowed-Referer

http://www.avinetworks.com/

https://avinetworks.com/docs/

https://avinetworks.github.com

https://support.avinetworks.com

DataScript

-- Add to the HTTP Response event
var = avi.http.get_header("referer", avi.HTTP_REQUEST)
if var then
-- The following line strips off the path from the hostname
name = string.match(var, "[https?://]*[^/]+" )
val, match = avi.stringgroup.equals("Allowed-Referer", name)
end
if match then
-- The referring site is allowed to embed this site within an iframe
avi.http.replace_header("X-Frame-Options", "ALLOW-FROM "..name)
avi.http.replace_header("Content-Security-Policy", "frame-ancestors " .. name)
else
-- The site may not be iframed
avi.http.replace_header("X-Frame-Options", "DENY")
avi.http.replace_header("Content-Security-Policy", "frame-ancestors 'none'")
end