My webMethods Server 10.2 | System Administrator Functions | Managing Security | Working with Response Header Rules | About the Default Response Header Rules
 
About the Default Response Header Rules
The following response header rules are available in My webMethods Server by default:
Rule Name
Enabled?
Description
Login Page Deny Non Same-Origin Framing
Yes
This rule guards against cross-site scripting and clickjacking attacks on the Login page by implementing the X-Frame-Options HTTP response header. This header indicates whether or not a browser should be allowed to render a page in a <frame> or <iframe>, thus ensuring that content is not embedded into other sites. The key/value pair is:
X-Frame-Options SAMEORIGIN
The page can only be displayed in a frame of the same origin as the page itself.
Login Page Deny All Framing
No
This is a more stringent Login page anti-cross-site scripting and clickjacking rule. The key/value pair is:
X-Frame-Options DENY
In this case, the page cannot be displayed in a frame, regardless of the site attempting to do so.
IE - parameter for compatibility mode
Yes
This setting sets the standard document type for Internet Explorer in rendering HTML pages. The default value is IE8.
Basic support for the X-Frame-Options header response is available in these (and later) browser versions:
*Chrome 4.1.249.1042
*Firefox 3.6.9
*Gecko 1.9.2.9
*Internet Explorer 8.0
*Opera 10.5
*Safari 4.0
Copyright © 2004-2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release