X-Frame-Options Header Security Vulnerability

During QUALYS Web Application Scanning of user system like Oracle Fusion (Integration layer), if one is facing the below security vulnerability, then follow the steps mentioned in the solution.

ID and Name

150081 and X-Frame-Options header is not set

Threat

The X-Frame-Options header is not set in the HTTP response, which may lead to a possible framing of the page. An attacker can trick users into clicking on a malicious link by framing the original page and showing a layer on top of it with legitimate-looking buttons.

Impact

Attacks such as Clickjacking could potentially be performed.

Solution

• Go to below OHS Location of Oracle Fusion server: /<Environment_Name>/products/instances/<OHS_Folder_Name>/config/OHS/<OHS_Name>
• Edit File Name:  httpd.conf
• Append within the header section before Include:  Header always append X-Frame-Options SAMEORIGIN

NOTE: Please restart all the OHS servers, post the above changes.