Project

General

Profile

Clickjacking X-frame option header missing

Added by Koushik Chatterjee over 7 years ago

Hi All,

Please suggest can we configure our webserver to add x-frame option header?
Please note that we are using webrick webserver for redmine stable 2.3.4

Regards,
Koushik


Replies (4)

RE: Clickjacking X-frame option header missing - Added by Toshi MARUYAMA over 7 years ago

Do not use webrick for production.

RE: Clickjacking X-frame option header missing - Added by Koushik Chatterjee over 7 years ago

Thanks for your suggestion .
Would you please redirect me also where i can find detailed document of changing the webserver from webrick to Apache with passenger.

RE: Clickjacking X-frame option header missing - Added by Gregor Schmidt over 7 years ago

Not using webrick in production is a valuable suggestion. There are various HowTos in the wiki which describe the setup for apache and passenger. Unfortunately, some of them are very outdated. I did not check them in detail, so I cannot recommend any one in particular.

But using a different application server, will not solve your initial problem - the missing X-Frame-Options headers.

Please consider updating your Redmine installation to the latest version. This provides you with the following benefits:

  • X-Frame-Option headers should be sent by default - no extra configuration needed. This was added in Rails 4.
  • You'll receive security updates for Redmine and it's dependencies. The version you've mentioned has been out of maintenance for a very long time now. Unless you're running your installation for yourself in an isolated network, you're taking a very high risk by not updating your software. Check RedmineUpgrade for detailed instructions on updating Redmine.
    (1-4/4)