Securing Apache X-Frame-Options

Issue

If specific origins are not listed or set to DENY, or SAMEORIGIN, a site can be vulnerable to embedded 3rd party code on embedded frames or embedded iframes.

Remediation Options

For servers running Apache web server, this can be addressed by adding the line below to the apache2.conf/httpd.conf file or to your .htaccess file if you need different options for each site and you have multiple sites on the same server.

Header always append X-Frame-Options SAMEORIGIN

Variations Allowed

Even if you still need content from multiple sites there are multiple ways to configure X-Frame-Options. Below is a table explaining the different options and I will provide some examples as well.

Setting Description
SAMEORIGIN Allows a page to be displayed in a frame or iframe as long as it’s from the same origin
DENY Disallows page to be displayed in a frame or iframe regardless of its origin
ALLOW-FROM Allows a specific white list of origins that pages in frames and iframes are permitted from, else all others are implicitly denied
 Header always append X-Frame-Options SAMEORIGIN
 Header always append X-Frame-Options DENY
 Header always append X-FRAME-OPTIONS ALLOW-FROM http://example.com

Final Notes

If X-Frame-Options are declared in a global location such as the apache configuration file a restart of the apache service will be required for this setting to take effect. If implementing in the .htaccess file this will not require a restart of apache.

Scripted Application Installs For Windows With Chocolatey

What is Chocolatey and Why Would I Use It

Chocolatey is an application repository with a commandline provider similar to apt or yum on Linux. The great thing about Chocolatey is it makes software installation scriptable. Think of setting up new workstations or servers. Depending on the environment there is a ton of software to install, things like notepad++, .Net Framework, New Relic, or if you’re setting up a dev environment maybe Visual Studio, notepad++, Adobe Reader, Java JDK, etc. Now you can automate this with a PowerShell script, or better yet if you use Puppet you can leverage the Puppet forge module for Chocolatey.

 

Installation

To install Chocolatey run the following in PowerShell:

Set-ExecutionPolicy RemoteSigned
iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))

That’s it now Chocolatey is installed.

 

Installing Applications

To install applications in Chocolately you will find the commands listed next to the software in the Chocolatey packages library at https://chocolatey.org/packages or you can use the commandline search tool (See https://github.com/chocolatey/choco/wiki/CommandsList for examples). You can also setup your own local Chocolatey server if you are in an enterprise environment, however this is outside the scope of this article. Below is an example of several common applications being installed via Chocolatey in PowerShell

choco install googlechrome
choco install firefox
choco install git
choco install adobereader
choco install notepadplusplus
choco install 7zip
choco install ccleaner
choco install sysinternals
choco install filezilla
choco install ruby
choco install nscp
choco install puppet
choco install zabbix-agent

 

Puppet Forge Module

If your organization is already using Puppet to do config management you can use Chocolatey as a provider in Puppet. To install the module on your Puppet master run the following command:

puppet module install chocolatey-chocolatey

To use the module you can create a Puppet class for you nodes refer to the usage instructions located at https://forge.puppet.com/chocolatey/chocolatey#usage