Protecting against clickjacking

Technical references : Administration : Server Hardening : Protecting against clickjacking

With the upcoming deprecation of third party cookie support by Google (see Privacy Sandbox for the Web for more information), the Planon Self-Service integration support will become deprecated per January 1st 2024. To maintain the same functionality, the link should be opened in a new browser tab instead of using an iframe.

By default, the Planon Web Client is protected against clickjacking. Clickjacking is used to trick the user in clicking and performing an action on a site or application. This is usually done by hiding the real contents by putting a layer on top of the application.

There are two generic implementations to prevent clickjacking: "X-Frame-Options" and "CSP2 header frame-ancestor". They cannot be used out of the box, because both do not support the full set of browsers.

To solve this, Planon implemented a Valve on the Web server, the ClickjackHostValve valve. This valve is specified in the server.xml located in \Server\tomcat-*\conf. It sets runtime the "X-Frame-Options" and the "CSP2 header frame-ancestor" in the header with the correct properties based on the incoming URL.

By default Planon is installed with Planon Web Client setup, allowing only the Web server itself. For Planon Self-Service portal integration, additional configuration is needed. Every portal for which integration is needed requires a DNS alias.

Default installation: Planon Web Client setup

Alternative installation: Planon Self-Service integration setup

For more information about clickjacking in general see Clickjacking. For web applications the issue mainly concerns the IFrame elements.

Portal integration configuration

1. Define DNS aliases for every server for which portal integration is needed.

2. Add a file with the name "portals.txt in …\Server\tomcat-*\conf.

The file must be filled with the DNS aliases and the corresponding URLs.

DNS Alias=Portal URL

For example:

planonportal1.company.com=http://portal1.company.com
planonportal2.company.com=http://portal2.company.com

If an incoming URL is in this file, Planon will allow framing from this location. All other URLs that come in should be from same origin, otherwise framing is blocked.

The file will be picked up automatically. A restart of the Web server is not needed.