I want to prevent clickjacking attack in Vaadin 7 and 8 apps. As Vaadin applications are by default designed to be embeddable, some configuration or code is needed to add safety.
Here's my first experiment, which adds X-Frame-Options header to each response to force browser to use same origin policy.
public class MyVaadinServlet extends VaadinServlet {
@Override
protected void service(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
// add clickjacking prevention
response.addHeader("X-Frame-Options", "SAMEORIGIN");
super.service(request, response);
}
}
I'd like to know if there is better solutions for vaadin apps, existing vaadin configuration options that I don't know or if this implementation has drawbacks or limitations.
We do have Apache in front of our application, but I don't know if it would be brittle to add header manipulation there instead of having it inside app itself (where it can be tested and changed easily by developers).
