Clickjacking X-frame option header missing

Added by Koushik Chatterjee 12 days ago

Hi All,

Please suggest can we configure our webserver to add x-frame option header?
Please note that we are using webrick webserver for redmine stable 2.3.4

Regards,
Koushik

Replies (3)

RE: Clickjacking X-frame option header missing - Added by Toshi MARUYAMA 12 days ago

Do not use webrick for production.

RE: Clickjacking X-frame option header missing - Added by Koushik Chatterjee 11 days ago

Thanks for your suggestion .
Would you please redirect me also where i can find detailed document of changing the webserver from webrick to Apache with passenger.

RE: Clickjacking X-frame option header missing - Added by Gregor Schmidt 11 days ago

Not using webrick in production is a valuable suggestion. There are various HowTos in the wiki which describe the setup for apache and passenger. Unfortunately, some of them are very outdated. I did not check them in detail, so I cannot recommend any one in particular.

But using a different application server, will not solve your initial problem - the missing X-Frame-Options headers.

Please consider updating your Redmine installation to the latest version. This provides you with the following benefits:

  • X-Frame-Option headers should be sent by default - no extra configuration needed. This was added in Rails 4.
  • You'll receive security updates for Redmine and it's dependencies. The version you've mentioned has been out of maintenance for a very long time now. Unless you're running your installation for yourself in an isolated network, you're taking a very high risk by not updating your software. Check RedmineUpgrade for detailed instructions on updating Redmine.

(1-3/3)