Skip to main content

Other Security Considerations

The following sections explain other security considerations, but they are not options on the Security settings page.

HTMLSanitizer Application

Jenzabar uses the third-party HTMLSanitizer application to remove HTML entered into the text editor that could be used maliciously. An example scenario is if a user tries to insert <script>alert('hacked');</script> in the text editor. It is legitimate for Administrator users to do this, but for non-Administrator users, the HTMLSanitizer pulls out the <script> tags. 

Recommendations for Improving Security against Clickjacking Attacks

When JICS is installed for the first time (i.e., new installations), Jenzabar recommends configuring the "X-Frame-Options" value in web.config to be set to "SAMEORIGIN" if your application includes embedded content, such as internal dashboards, preview panes, or widgets that rely on iframes from the same origin. This setting helps protect against clickjacking attacks while preserving the functionality of your internal iframe-based components. Clickjacking attacks trick users into clicking a webpage element that is disguised as another element, which may unwittingly lead them to download malware, visit malicious web pages, etc.

Note

Note that modifications are NOT recommended for the web.config files on an Upgrade.

Before choosing this setting, you must assess whether any of your pages are legitimately embedded within your own site. If so, "SAMEORIGIN" offers a secure and flexible option. If your application does not require any framing, a stricter "DENY" policy may be appropriate.

Image of "X-Frame-Options" value showing "SAMEORIGIN".

Advantages of "SAMEORIGIN" over "DENY"

Three advantages of using "SAMEORIGIN" instead of "DENY" are:

  1. Allows Internal Framing

    "SAMEORIGIN" allows your own website to embed its pages within iframes, which is useful if you have internal applications or dashboards that need to embed pages from the same origin. "DENY" completely blocks all iframe embedding.

  2. Better for Web Applications with Frames

    If your web application uses iframes for valid reasons (e.g., a dashboard, widgets, or preview panels), "SAMEORIGIN" ensures that these features work within the same domain.

  3. More Flexibility

    "SAMEORIGIN" provides security while allowing controlled embedding, whereas "DENY" is more restrictive and may cause usability issues.

When to Use "DENY" Instead

If your site has no need for iframes, "DENY" is the strictest and most secure option. It fully prevents clickjacking attacks by blocking all attempts to embed your pages in an iframe.

Conclusions

Use X-Frame-Options: SAMEORIGIN if you need to allow framing within your own site.

Use X-Frame-Options: DENY for the strictest security if you never need iframe embedding.