X-FRAME-Options Reference Guide

This article is to help those who wish to change the X-Frame-Options in Liferay Digital Experience Platforms. Usually, this is required if you are trying embedding widgets in a portlet or an iFrame so that HTTP headers are protected against clickjacking.

These values are found in the system.properties file (and not the portal.properties file) located inside the portal-impl.jar.

    # Set this to true for the portal to send the "X-Frame-Options: DENY" HTTP
    # header to protect against clickjacking.
    #
    # Custom HTTP header values instead of "DENY" can be specified per URL via
    # the properties "http.header.secure.x.frame.options.*".
    #
    http.header.secure.x.frame.options=true

    #
    # If the property "http.header.secure.x.frame.options" is set to true, then
    # the portal will iterate through the properties
    # "http.header.secure.x.frame.options.*" where the wildcard "*"
    # is replaced with an int number starting from 0 and ending with 255 to find
    # a pipe (|) delimited URL and HTTP header value pair (e.g. "/|SAMEORIGIN").
    #
    # Upon finding a matched a URL, the portal will use the custom HTTP header
    # value instead of the "DENY" value.
    #
    # By default, URLs that start with "/" will use a custom HTTP header value
    # of "SAMEORIGIN". Specify another URL and HTTP header value with a number
    # smaller than 255 to intercept this default behavior.
    #
    http.header.secure.x.frame.options.255=/|SAMEORIGIN

Resolution

To override the default settings, create a system-ext.properties file. Like the portal.properties file, as best practices, you should never modify the system.properties directly. To do so, each nested widget should be like this:

http.header.secure.x.frame.options.1 = /{truncated portal page url} |ALLOW-FROM {web page URL}

For example:
http.header.secure.x.frame.options.1=/group/guest/dxp-private-page |ALLOW-FROM https://www.liferay.com/group/customer

Place the system-ext.properties file in the \..\ROOT\WEB-INF\classes folder when finished. It is possible that a server restart is necessary to apply the changes.

Additional Information

See the System-ext.properties Reference Guide for more general information.

Was this article helpful?
1 out of 1 found this helpful