Disable Cross-Frame Scripting (XFS) for pages delivered by the Access Gateway Embedded Service Provider ( nesp )

  • 7017550
  • 28-Apr-2016
  • 02-May-2016


  • NetIQ Access Manager 4.1
  • NetIQ Access Manager 4.2


  • calling pages delivered by the NESP server  from within an HTML iframe is possible with the default NIDP server configuration

  • Note: this has usually a very low impact as the delivered pages are not used for the user login process. In most of the cases they are only getting used for reporting error messages

  • In order to avoid a possible Cross-Frame Scripting (XFS) attack a web service can add the HTTP "X-Frame-Options" response header.as defined by rfc7034


There are two option which allow to add a solution for the Access Gateway

  1. - ssh into your Access Gateway server
    - modify the: "/opt/novell/nesp/lib/webapp/WEB-INF/web.xml using the editor of your choice
    - add the following tomcat filter configuration below any existing filter configurations













    - restart your embedded service provider: "/etc/init.d/novell-mag restart"

  2. Use the Apache "mod_header" module to add the required header

    • open the  "/etc/opt/novell/apache2/conf/httpd.conf" on your Access Gateway with an editor of you choice
    • remove the "#" in front of "LoadModule headers_module libexec/mod_headers.so" in order to enable loading the module
    • Add the following Apache directived from with iManager on your global "Advanced Options" menu

      <LocationMatch "/nesp">
         Header always append X-Frame-Options SAMEORIGIN

Additional Information

The HttpHeaderSecurityFilter class has been added to Tomcat Version 7.0.63. Any previous versions of tomcat are not shipped with this filter