Issues » Possible Clickjacking / no frame busting code in dotCMS admin

Issue: SI-12
Date: Jun 8, 2013, 8:00:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: 3
Credit: Internal Security Team

It is possible to "clickjack" the dotCMS admin console, which works in a frameset. We need to add the "X-Frame-Options: Deny" / "X-Frame-Options: Sameorigin" header to all requests (both CMS admin and end-user requests). 

- For older browsers which do not support the X-Frame-Options header, all CMS admin pages should have the "frame busting" JavaScript applied, for example:

<style> body { display : none;} </style>
if (self == top) {
var theBody = document.getElementsByTagName(’body’)[0]; = "block";
} else {
top.location = self.location;

OWASP Guide to Clickjacking:


If you would like to include frame busting code, use a static plugin, override the /html/common/top_inc.jsp and include the appropriate response headers, like this:

response.setHeader("X-Frame-Options", "Deny");