Set Frame Ancestors to Prevent Clickjacking Attacks

Customer Managed Applies to customer-managed instances of Alation

Available from 2024.3.1

Alation helps you prevent clickjacking attacks (also known as UI redress attacks) by adding the frame-ancestors directive to your Alation instance’s Content Security Policy (CSP) header. This directive specifies which domains are allowed to embed Alation pages in a frame or iframe. For more information about clickjacking attacks, see OWASP Clickjacking Defense Cheat Sheet. For more information about the frame-ancestors directive, see MDN Web Docs - Content Security Policy (CSP): frame-ancestors.

Alation automatically adds the value 'self' to the frame-ancestors directive. This means that by default only pages from the same domain and subdomain as your Alation instance can embed Alation pages. For example, if your Alation instance is hosted at https://alation.yourcompany.com, only pages from https://alation.yourcompany.com can embed Alation pages.

You can also use alation_conf to add other domains to the frame-ancestors directive. This allows you to specify additional domains that are allowed to embed Alation pages.

Important

The following changes require you to restart nginx. This means that your Alation instance will be unavailable for a short period of time. We recommend that you make these changes during off-peak hours.

To add a domain to the frame-ancestors directive:

  1. Use SSH to connect to the Alation server.

  2. Enter the Alation shell using the following command:

    sudo /etc/init.d/alation shell

  3. Use alation_conf to set the value of nginx.frame_ancestors to a space-separated list of domains that you want to be able to embed Alation pages. For example, to allow pages from https://example.com and https://subdomain.example.com to embed Alation pages, run the following command:

    alation_conf nginx.frame_ancestors -s 'example.com subdomain.example.com'

    Note

    The value 'self' is always added to the frame-ancestors directive, so you don’t need to include it in the list of domains.

  4. Deploy the changes by running the following command:

    alation_action deploy_conf_nginx

    Important

    The following step requires you to restart nginx. This means that your Alation instance will be unavailable for a short period of time. We recommend that you run this command during off-peak hours.

  5. Restart nginx:

    alation_action stop_nginx
alation_action start_nginx