Search Engine: Elastic

Article ID: 122714, created on Aug 25, 2014, last review on May 22, 2018

  • Applies to:
  • Operations Automation
  • Business Automation


How to protect OA and billing Control Panels from clickjacking attacks?


Attacks of this type require a black-hat hacker to generate an IFrame using bw_id or sudo parameters to correctly initialize the frame's contents in a victim's browser. This makes it impossible to exploit the clickjack vulnerability on OA/BA control panels as the mentioned parameters are session-based and have limited time of life.

It is possible to protect OA control panel from clickjacking by using a X-Frame-Options HTTP header to prevent framing by external sites. Note that when applied on billing application server, such configuration may lead to incorrect work of OA-BA switch in some cases and hence is not recommended.

  • OA of version 6.0 and earlier:

    1. Modify the /usr/local/pem/etc/branding/branding_htaccess.tmpl file on OA Management node by adding the following line:

      Header always set X-Frame-Options SAMEORIGIN
    2. Modify .branding_htaccess file for each branding server/branding webspace that deals with HTTPS connections on a specific brand by adding the following line:

      Header always set X-Frame-Options SAMEORIGIN

    Example of the .branding_htaccess file location:

    Brand on legacy LSH: /usr/local/pem/vhosts/100001/webspace/httpsdocs/branddomain.tld/.branding_htaccess

    Brand on LSH NG: /var/www/vhosts/2/100008/webspace/httpdocs/branddomain.tld/.branding_htaccess

  • OA of version 7 and later:

    1. Add the following line to .htaccess file for a desired brand. It is usually located at /var/www/brands/<BRAND_NAME>/ folder on UI server:

      Header always set X-Frame-Options SAMEORIGIN
  • Make sure that it is possible to log in to CP, switch to billing and back to the Operations panel;

In order to automate the aforementioned steps and support both OA Management node and BA application server, an internal request PFR-1624 was submitted to the development team. Contact your Technical Account Manager or Pooled Technical Associate Team at to clarify the status of PFR-1624.

5356b422f65bdad1c3e9edca5d74a1ae caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 198398b282069eaf2d94a6af87dcb3ff

Email subscription for changes to this article
Save as PDF