Preventing clickjacking attacks with X-Frame-Options header
It's possible to disallow embedding WebMail Lite interface into IFrame, which can be helpful towards preventing clickjacking attacks. This is done by forcing specific value of X-Frame-Options
HTTP header, you can read more about it at this Wikipedia page.
In current version, embedding WebMail Lite interface into IFrame is disallowed by default, that's achieved by setting XFrameOptions
parameter to "SAMEORIGIN" in data/settings/config.json
file:
"XFrameOptions": [
"SAMEORIGIN",
"string",
null,
"If set to SAMEORIGIN, disallows embedding product interface into IFrame to prevent from clickjacking attacks"
]
Note that even with this setting applied, you will still be able to use the embedding yourself, as long as WebMail Lite and the page containing IFrame are within the same domain.
If you wish to enable embedding WebMail Lite interface into IFrame, set "XFrameOptions" value to empty string.