Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

click jacking protection options?

rbardonetorian
Path Finder
‎02-09-2017 08:01 AM

Hello Splunksters,

Well I am trying to keep a bit of security to avoid click-jacking, though find myself in a pickle..

I have found this link: https://answers.splunk.com/answers/104277/iframes-and-views-broken-after-splunk-6-upgrade.html

Though I would like to make slight mod and allow for a specific site to have access and not just allow all with the "False" setting.

Any ideas??

Could I use the " # external UI URIs " setting in the web.conf somehow?

Thanks!

0 Karma
Reply

ben_leung
Builder
‎12-05-2018 11:52 AM

Splunk uses x frame options header sameorigin. I also want to use allow-from but that is not supported on browsers like chrome and safari.
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#X-Frame-Options_Header_Types

If Splunk decided to use the header from Content-Security-Policy frame-ancestors, then you could state domains allowed.

0 Karma
Reply

ben_leung
Builder
‎12-05-2018 05:28 PM

You can actually do this now, while etc/system/local/web.conf contains x_frame_options_sameorigin = false under the [settings] stanza, add

replyHeader.Content-Security-Policy = frame-ancestors self

0 Karma
Reply

isachse
Explorer
‎02-26-2021 11:13 AM

Thanks @ben_leung, it works quite well. I checked it with Splunk Enterprise 8.1.2. In this version it's not even needed to set x_frame_options_sameorigin to false. It will be automatically overruled if you're on a domain, which is allowed by the Content-Security-Policy .

We use it like this:

replyHeader.Content-Security-Policy = frame-ancestors self https://example1.com  https://example2.com
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...