0 Replies Latest reply on Oct 18, 2016 11:58 AM by DeliK

    URL-Pattern in clickjacking filter for web.xml

    DeliK Level 1

      I'm trying to figure out the correct url mapping for blocking clickjacking on my client's site.  The URL follows the pattern: "https://abc.def.xyz.com/".  Right now I have the following in the web.xml file, but it doesn't seem to work.

       

      <filter-mapping>
        
      <filter-name>CFClickJackFilterSameOrigin</filter-name>
        
      <url-pattern>/CFIDE/administrator/*</url-pattern>
      </filter-mapping>

      <filter-mapping>
        
      <filter-name>CFClickJackFilterDeny</filter-name>
        
      <url-pattern>/ABC/*</url-pattern>
      </filter-mapping>

       

      I read some of the other posts and have seen references on how to handle it if we had subdirectories (for example, if the site was actually https://abc.def.xyz.com/app_v6", I could use "/app_v6" for the url mapping, and indeed that works on my development machine where I'm using "localhost/abc" for my development site.  However, we don't have that sort of structure on the production server.  I am wondering if "/abc.def.xyz.com/*" would work.  Or other suggestions?? 

       

      This site is currently the only site on this server.  I didn't want to use "/*" with the Deny filter because I'm concerned that we could then no longer use the cf administrator.  I'm not usually the person doing the server side configuration, but the person who does is in the hospital, so not available, so trying to figure it out on my own.  Any thoughts?