keycloak-scim/server_admin/topics/threat/clickjacking.adoc


=== Clickjacking

Clickjacking is a technique of tricking users into clicking on a user interface element different from what users perceive. A malicious site loads the target site in a transparent iFrame, overlaid on top of a set of dummy buttons placed directly under important buttons on the target site. When a user clicks a visible button, they are clicking a button on the hidden page. An attacker can steal a user's authentication credentials and access their resources by using this method.

By default, every response by {project_name} sets some specific browser headers that can prevent this from happening.
Specifically, it sets https://datatracker.ietf.org/doc/html/rfc7034[X-FRAME_OPTIONS] and http://www.w3.org/TR/CSP/[Content-Security-Policy].
You should take a look at the definition of both of these headers as there is a lot of fine-grain browser access you can control.

.Procedure
In the Admin Console, you can specify the values of the X-FRAME_OPTIONS and Content-Security-Policy headers.

. Click the *Realm Settings* menu item.
. Click the *Security Defenses* tab.
+
.Security Defenses
image:{project_images}/security-headers.png[Security Defences]

By default, {project_name} only sets up a _same-origin_ policy for iframes.
threat 2016-05-31 22:00:59 +00:00
			`=== Clickjacking`

KEYCLOAK-15790 Security Threats rewrite (#57) * KEYCLOAK-15790 Security Threats rewrite * KEYCLOAK-15790 Post feedback changes 2021-02-19 10:15:20 +00:00			`Clickjacking is a technique of tricking users into clicking on a user interface element different from what users perceive. A malicious site loads the target site in a transparent iFrame, overlaid on top of a set of dummy buttons placed directly under important buttons on the target site. When a user clicks a visible button, they are clicking a button on the hidden page. An attacker can steal a user's authentication credentials and access their resources by using this method.`
threat 2016-05-31 22:00:59 +00:00
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`By default, every response by {project_name} sets some specific browser headers that can prevent this from happening.`
KEYCLOAK-18301 Fix broken links 2021-05-27 12:29:27 +00:00			`Specifically, it sets https://datatracker.ietf.org/doc/html/rfc7034[X-FRAME_OPTIONS] and http://www.w3.org/TR/CSP/[Content-Security-Policy].`
Minor changes for threat model chapter. 2016-06-07 19:02:18 +00:00			`You should take a look at the definition of both of these headers as there is a lot of fine-grain browser access you can control.`
threat 2016-05-31 22:00:59 +00:00
KEYCLOAK-15790 Security Threats rewrite (#57) * KEYCLOAK-15790 Security Threats rewrite * KEYCLOAK-15790 Post feedback changes 2021-02-19 10:15:20 +00:00			`.Procedure`
admin-reuse -- Found one more Data Grid link to fix based on a separate PR. 2021-06-17 14:39:30 +00:00			`In the Admin Console, you can specify the values of the X-FRAME_OPTIONS and Content-Security-Policy headers.`
threat 2016-05-31 22:00:59 +00:00
KEYCLOAK-15790 Security Threats rewrite (#57) * KEYCLOAK-15790 Security Threats rewrite * KEYCLOAK-15790 Post feedback changes 2021-02-19 10:15:20 +00:00			`. Click the Realm Settings menu item.`
			`. Click the Security Defenses tab.`
			`+`
			`.Security Defenses`
			`image:{project_images}/security-headers.png[Security Defences]`
threat 2016-05-31 22:00:59 +00:00
KEYCLOAK-15790 Security Threats rewrite (#57) * KEYCLOAK-15790 Security Threats rewrite * KEYCLOAK-15790 Post feedback changes 2021-02-19 10:15:20 +00:00			`By default, {project_name} only sets up a _same-origin_ policy for iframes.`