Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
Clickjacking Protection in NSX Advanced Load Balancer
In NSX Advanced Load Balancer, clickjacking protection is enabled by default. Clickjacking protection can be deactivated, if required. For instance, the Horizon integration with iframes does not work with the option enabled. You can deactivate the option by logging into the Controller CLI and entering the commands shown below:
$> shell Login: admin Password: : > configure systemconfiguration : systemconfiguration> portal_configuration : systemconfiguration:portal_configuration> no enable_clickjacking_protection : systemconfiguration:portal_configuration> save : systemconfiguration> save : > exit $>
Selective Disabling of Clickjacking Protection
Clickjacking are in many forms. One such example is when a site maliciously embeds an unsuspecting site within an iframe, effectively showing the child site through their own. Preventing this is easy enough through a few headers on the server. However, it is possible in more robust environments to require enabling iframing sometimes, but not always.
The following DataScript selectively determines if the referring site, determined by the referer header, is allowed to embed this site within an iframe. The list of allowed referers is maintained within a separate string group, which allows for an extensive, REST API updatable list without directly modifying the rule with every update.
The following example involves creating a string group, then creating the DataScript which references the string group:
String Group: Allowed-Referer
http://www.avinetworks.com/
https://avinetworks.com/docs/
https://avinetworks.github.com
https://support.avinetworks.com
DataScript
-- Add to the HTTP Response event var = avi.http.get_header("referer", avi.HTTP_REQUEST) if var then -- The following line strips off the path from the hostname name = string.match(var, "[https?://]*[^/]+" ) val, match = avi.stringgroup.equals("Allowed-Referer", name) end if match then -- The referring site is allowed to embed this site within an iframe avi.http.replace_header("X-Frame-Options", "ALLOW-FROM "..name) avi.http.replace_header("Content-Security-Policy", "frame-ancestors " .. name) else -- The site may not be iframed avi.http.replace_header("X-Frame-Options", "DENY") avi.http.replace_header("Content-Security-Policy", "frame-ancestors 'none'") end