Clickjacking Protection


Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

Clickjacking Protection in Avi

In Avi Vantage, the clickjacking protection is enabled by default. Clickjacking protection can be disabled, if required. For example, the Horizon integration with iframes does not work with the option enabled. Disable the option by logging into the Controller CLI and entering the commands show below:

$> shell
Login: admin

: > configure systemconfiguration
: systemconfiguration> portal_configuration
: systemconfiguration:portal_configuration> no enable_clickjacking_protection
: systemconfiguration:portal_configuration> save
: systemconfiguration> save
: > exit

Selective Disabling of Clickjacking Protection

Clickjacking comes in many forms.
One such example is when a site maliciously embeds an unsuspecting site within an iframe, effectively showing the child site through their own. Preventing this is easy enough via a few headers on the server. However, it is possible in more robust environments to require enabling iframing sometimes, but not always.

The following DataScript selectively determines if the referring site, determined by the referer header, is allowed to embed this site within an iframe. The list of whitelisted referers is maintained within a separate string group, which allows for an extensive, REST API updatable list without directly modifying the rule with every update.

The following example involves creating a string group, then creating the DataScript which references the string group:

String Group: Allowed-Referer


-- Add to the HTTP Response event
var = avi.http.get_header("referer", avi.HTTP_REQUEST)
if var then
-- The following line strips off the path from the hostname
name = string.match(var, "[https?://]*[^/]+" )
val, match = avi.stringgroup.equals("Allowed-Referer", name)
if match then
-- The referring site is allowed to embed this site within an iframe
avi.http.replace_header("X-Frame-Options", "ALLOW-FROM "
avi.http.replace_header("Content-Security-Policy", "frame-ancestors " .. name)
-- The site may not be iframed
avi.http.replace_header("X-Frame-Options", "DENY")
avi.http.replace_header("Content-Security-Policy", "frame-ancestors 'none'")