How to set X-Frame-Option to address Vulnerability in the ServiceDesk Web URL?

Document ID : KB000031700
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

How to set X-Frame-Option to address Vulnerability in the ServiceDesk Web URL?

 

Answer:

There are 2 ways to set the X-Frame-Option:

Option 1 - From Service Desk - This is supported by CA Support.

Option 2 - From IIS - Not supported by CA, as this requires changes at the IIS level. This needs to be performed by the Windows or IIS Administrators.

 

Changes from Service Desk - Supported by CA Support

1.  Open the NX.env file located under Service Desk install directory (NX_ROOT).

2.  Set NX variable NX_X_FRAME_OPTIONS=Yes.  This will set the HTTP Header X-Frame-Options: SameOrigin to all HTMPL pages parsed by webengine.

3.  Add the above NX.ENV variable to NX.env.tpl file located under the NX_ROOT/ServiceDesk/pdmconf folder.

4.  Restart the Service Desk service.

 

Changes from IIS - Not Supported by CA

Have the IIS administrator set the following headers within IIS:

x-content-type-options: nosniff

x-frame-options: SAMEORIGIN

x-xss-protection: 1; mode=block 

strict-transport-security: max-age=631138519

For further information on how to set these at the IIS level, refer to: https://scotthelme.co.uk/hardening-your-http-response-headers/

Disclaimer:  

CA does not take any responsibility or support any of the points mentioned in the above link.  This link is provided for a reference.  These steps are to be performed by the IIS or Windows Administrators and upon successful testing, implemented within the Service Desk Production Servers.