Known Issue: FME Server Apache Tomcat Vulnerability with X-Frame-Options header

Liz Sanderson
Liz Sanderson
  • Updated


Known Issue ID FMESERVER-10761
Discovery 2015
Affects All Versions
Resolved N/A


A security scan has reported that FME Server does not utilise the X-Frame Options header meaning an attacker can exploit vulnerabilities such as clickjacking.



Clickjacking is a technique used by malicious websites to trick a user into divulging confidential information by embedding the target website in an iframe. Check out OWASP to learn more about Clickjacking.

By default, FME Server does not prevent clickjacking as this may disrupt legitimate uses of the web interface. 


To harden FME Server against this vulnerability you can enable the HTTP Header Security filter. This filter is built into FME Server's Web Application Server (Tomcat) and when enabled instructs the user's browser to only allow pages of the same origin to be embedded or reject all embedding.

  1. Download the attached tester.jsp file and place it in <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT
  2. Open a web browser and navigate to http(s)://<FMEServerHost>/tester.jsp and you should now see your FME Server login page embedded within a test page. 
  3. Run a text editor as an administrator and open web.xml, located in <FMEServerInstallDir>\Utilities\tomcat\conf
  4. Search for <filter-name>httpHeaderSecurity</filter-name>. Two occurrences of this filter will be found; a filter and a filter-mapping element. Uncomment each of these by removing the <-- and --> symbols that are wrapped around the elements.
  5. Add in the following antiClickJackingOption parameter with the value SAMEORIGIN underneath both the the closing </filter> and </filter-mapping> tag.  

      6. Once complete this should look like:

Screen Shot 2021-07-08 at 3.17.32 PM.png


Screen Shot 2021-07-08 at 3.17.58 PM.png

       7. Save the file and restart the FME Web Application Server Service to apply the changes.
       8. In the browser return to http(s)://<FMEServerHost>/tester.jsp and login, this time you'll see a refused to connect error.


       9. Go to <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT and delete the tester.jsp

Note: Once enabled the httpHeaderSecurity filter will use the default values for all the associated parameters to reject all embedding. These values are listed in the web.xml and if you are wanting other behaviour(e.g. all from same origin) these should be set in the XML accordingly. For more information on these parameters please see the Apache Tomcat Documentation on Container Provided Filters



Was this article helpful?



Please sign in to leave a comment.