Bookshelf Home | Contents | Index | PDF | ![]() ![]() |
Integration Guide for Oracle Billing Insight > Using an External Authentication System > Avoiding Clickjacking Using X-Frame-Options Security SettingsOracle Billing Insight uses X-Frame-Options HTTP response headers to avoid UI redress attacks, called clickjacking, by preventing application content from being embedded into other sites. On a clickjacked page, attackers can load and embedded any Oracle Billing Insight page over the external site page in a transparent frame, tricking Oracle Billing Insight users into performing actions that could enable the attacker to steal payment account information, for example. Oracle Billing Insight uses the SAMEORIGIN X-Frame-Option value, which displays the page in a frame as long as the site including it in a frame is the same as the one serving the page. This prevents Oracle Billing Insight content from being embedded into other sites, and is recommended by OWASP. If you have implemented your own integration from an external system, you can follow the steps in this topic to configure the Self-Service and Assisted Service applications to allow specific origin using the ALLOW-FROM URI response header value, and prevent Oracle Billing Insight from being embedded by any outside pages. CAUTION: If you attempt to access and embed the Self-Service or Assisted Service applications from an external system (which is not same origin), you risk clickjacking from cross-site scripting. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. There are three possible values for X-Frame-Options:
There can also be limitations on browser compatibilities. If you are using an old browser, you may also need to configure the Assisted Service application to avoid clickjacking. For more information about browser issues, see https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options To configure Oracle Billing Insight applications to avoid clickjacking when accessing from external sites
|
![]() |
![]() ![]() |
Integration Guide for Oracle Billing Insight | Copyright © 2016, Oracle and/or its affiliates. All rights reserved. Legal Notices. | |