How to set X-Frame-Option to address Vulnerability in the ServiceDesk Web URL?
There are 2 ways to set the X-Frame-Option:
Option 1 - From Service Desk - This is supported by CA Support.
Option 2 - From IIS - Not supported by CA, as this requires changes at the IIS level. This needs to be performed by the Windows or IIS Administrators.
Changes from Service Desk - Supported by CA Support
1. Open the NX.env file located under Service Desk install directory (NX_ROOT).
2. Set NX variable NX_X_FRAME_OPTIONS=Yes. This will set the HTTP Header X-Frame-Options: SameOrigin to all HTMPL pages parsed by webengine.
3. Add the above NX.ENV variable to NX.env.tpl file located under the NX_ROOT/ServiceDesk/pdmconf folder.
4. Restart the Service Desk service.
Changes from IIS - Not Supported by CA
Have the IIS administrator set the following headers within IIS:
x-xss-protection: 1; mode=block
For further information on how to set these at the IIS level, refer to: https://scotthelme.co.uk/hardening-your-http-response-headers/
CA does not take any responsibility or support any of the points mentioned in the above link. This link is provided for a reference. These steps are to be performed by the IIS or Windows Administrators and upon successful testing, implemented within the Service Desk Production Servers.