Clickjacking X-frame option header missing
Please suggest can we configure our webserver to add x-frame option header?
Please note that we are using webrick webserver for redmine stable 2.3.4
RE: Clickjacking X-frame option header missing - Added by Toshi MARUYAMA 4 months ago
Do not use webrick for production.
Thanks for your suggestion .
Would you please redirect me also where i can find detailed document of changing the webserver from webrick to Apache with passenger.
RE: Clickjacking X-frame option header missing - Added by Gregor Schmidt 4 months ago
Not using webrick in production is a valuable suggestion. There are various HowTos in the wiki which describe the setup for apache and passenger. Unfortunately, some of them are very outdated. I did not check them in detail, so I cannot recommend any one in particular.
But using a different application server, will not solve your initial problem - the missing X-Frame-Options headers.
Please consider updating your Redmine installation to the latest version. This provides you with the following benefits:
- X-Frame-Option headers should be sent by default - no extra configuration needed. This was added in Rails 4.
- You'll receive security updates for Redmine and it's dependencies. The version you've mentioned has been out of maintenance for a very long time now. Unless you're running your installation for yourself in an isolated network, you're taking a very high risk by not updating your software. Check RedmineUpgrade for detailed instructions on updating Redmine.