My webMethods Server 10.5 | My webMethods Server Webhelp | Administering My webMethods Server | System Administrator Functions | Managing Security | Working with Response Header Rules | About the Default Response Header Rules
 
About the Default Response Header Rules
The following table lists the response header rules, available in a typical My webMethods Server installation:
Rule Name
Description
Login Page Deny Non Same-Origin Framing
Enabled by default. This rule guards against cross-site scripting and clickjacking attacks on the Login page by implementing the X-Frame-Options HTTP response header. This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe>, thus ensuring that content is not embedded into other sites. The key/value pair is:
X-Frame-Options SAMEORIGIN
The page can only be displayed in a frame of the same origin as the page itself.
Login Page Deny All Framing
Disabled by default. This is a more stringent Login page anti-cross-site scripting and clickjacking rule. The key/value pair is:
X-Frame-Options DENY
In this case, the page cannot be displayed in a frame, regardless of the site attempting to do so.
IE - parameter for compatibility mode
Enabled by default. This setting sets the standard document type for Internet Explorer in rendering HTML pages. The default value is IE8.
Basic support for the X-Frame-Options header response is available in these (and later) browser versions:
*Chrome 4.1.249.1042
*Firefox 3.6.9
*Gecko 1.9.2.9
*Internet Explorer 8.0
*Opera 10.5
*Safari 4.0