Agile Process : Administering My webMethods Server : Managing Security : Working with Response Header Rules : About the Default Response Header Rules
About the Default Response Header Rules
The following response header rules are available in My webMethods Server by default:
Rule Name
Enabled?
Description
Login Page Deny Non Same-Origin Framing
Yes
This rule guards against cross-site scripting and clickjacking attacks on the Login page by implementing the X-Frame-Options HTTP response header. This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe>, thus ensuring that content is not embedded into other sites. The key/value pair is:
X-Frame-Options SAMEORIGIN
The page can only be displayed in a frame of the same origin as the page itself.
Login Page Deny All Framing
No
This is a more stringent Login page anti-cross-site scripting and clickjacking rule. The key/value pair is:
X-Frame-Options DENY
In this case, the page cannot be displayed in a frame, regardless of the site attempting to do so.
IE - parameter for compatibility mode
Yes
This setting sets the standard document type for Internet Explorer in rendering HTML pages. The default value is IE8.
Basic support for the X-Frame-Options header response is available in these (and later) browser versions:
*Chrome 4.1.249.1042
*Firefox 3.6.9
*Gecko 1.9.2.9
*Internet Explorer 8.0
*Opera 10.5
*Safari 4.0
Copyright © 2017 Software AG, Darmstadt, Germany.

Product LogoContact Support   |   Community   |   Feedback