Good morning,

I currently have OD 7.2.1, would you be so kind in directing me where, in the OD tool, I can make the change the x-frame to set it to samesite or denied?

In addition, the security scan is also coming back with Insecure Transport.

Any suggestions will be greatly appreciate it.

Thank you in advance.

Hi . Take a look at:

https://www.devconnectprogram.com/fileMedia/download/d1e60358-b1d5-4e39-9236-ad1b699a59b9
on page 109 for AOD 8.1.1 (latest release)

https://www.devconnectprogram.com/forums/posts/list/24958.page#p163835

Does this mean I need to update to OD 8.1.1 for the option to be included in the JSP?

AAOD 7.x is no longer supported (End of support: December 8, 2021).

Avaya suggests to upgrade to the latest release.

If you want to continue using 7.2.1, the doc is here (page 110):
https://www.devconnectprogram.com/fileMedia/download/c9d5b4c6-8de4-4e35-9368-af076a85d93c

Good morning, I upgraded the tool to 8.1 like it was suggested. After importing the project, configuring the tool and running the security scan, the X-Frame vulnerability is still showing up. In the Avaya documentation it mentioned the following:
The header value “X-Frame-Options: SAMEORIGIN” is added by default in the JSP pages generated by Orchestration Designer.
If that is the case, then why is the vulnerability still showing up? How can this be corrected in the tool or code? Please advise.

Hi. I addressed you to those links because of what you mentioned. On the second link the development team confirmed("we are already setting the X-Frame Options. There is not more we need to do"). Might you deeply describe your environment and what you are going to do ?

The IVR application calls two wrappers, a Dot net webservice and a Service Builder webservice which are in IIS Webservices Server 2016 with IIS 6.0. Once complied and exported with "Enable Speech Synthesis Markup Language" unchecked to exclude the JSP and classes. We deploy the application to WebSphere server 8.55 integration environment then Qualys Security Scan is executed.

I also downloaded the JQuery Mobile but JS/CSS/Theme tab under the property Orchestration Designer is not available and not sure how to add it.

I have looked in the Avaya documentation for the x-frame options but it doesn't mention where to go to make the change. Would you please point me in the right direction? Thank you.

Hi. Do you want AOD automatically adding the HTTP header "X-Frame-Options: DENY" instead of "X-Frame-Options: SAMEORIGIN" to all generated JSP pages ?

The OD documentation says

"The header value “X-Frame-Options: SAMEORIGIN” is added by default in the JSP pages
generated by Orchestration Designer. You can configure these headers in most web servers
without changing the application for different types of resources. Alternatively, you can implement
and deploy a filter on application server."

There's a guide on the AOD Developer's Guide on page 111 (https://www.devconnectprogram.com/fileMedia/download/d1e60358-b1d5-4e39-9236-ad1b699a59b9)

The idea is you modify the template files in the custom directory and let the AOD generate JSP files for the Nodes from the modified template files.



Customizing JSP

About this task

You can have the same look and feel across all the forms in a web application. For example, you
can have header and footer on all pages of your web application matching the company’s website.

The header will have the company logo and footer will have the links to general information.
Follow the below steps to customize an application to have a common look-and-feel across

multiple pages:

Procedure

1. Right click the project that you want to customize and click Properties. click
Orchestration Designer > JS/CSS/Theme tab.


2. In the Properties dialog, select Orchestration Designer > JS/CSS/Theme.

3. Click the Use custom templates instead of system templates to generate jsp files
check box.
4. Click Ok.
Orchestration Designer automatically adds four new template files -
AppRoot_Sample_template.jsp, Form_Sample_template.jsp,
Menu_Sample_template.jsp, and Return_Sample_template.jsp, to the custom
directory. These new files are the working template files that Orchestration Designer uses
to generate JSPs instead of the system template files.

5. Add the HTML code in each of the four files, and save all the changes.

Modify the Approot_templat.jsp file to use Start page as your front page. You can
ignore this file if the Show Web Content property of the AppRoot node is set to “No”.

Modify the Return_templat.jsp file to create a unique looking ending page. This file
works for the Return node.

Similarly, modify the Menu_template.jsp and Form_template.jsp for Menu node and
Form node respectively.

6. Right click the project and then select Orchestration Designer > Generate Project.

Alternatively, you can make changes in the web flow editor and save.

Orchestration Designer regenerates all JSP files in the jsp folder based on the four new
template files.

Thank you for the information provided. The issue I'm having is when I get to Orchestration Designer, I don't have JS/CSS/Theme to customize. I've upgraded to OD 8.1 as suggested and still no JS/CSS tab. I have General, Speech, Languages, Pluggable Connectors and Web Descriptor.
Also, if "The header value “X-Frame-Options: SAMEORIGIN” is added by default in the JSP pages
generated by Orchestration Designer...." if is there by default then why is it showing up in the vulnerability scan? Shouldn't that been sufficed.

The scan should not be reporting the vulnerability if the response headers include X-Frame-Options set to DENY or SAMEORIGIN.

Anyway, it may be possible that a single URL or request did not return the header for some reason and the scanner flagged that one instance.

The issue should be investigated the more closely. Any error/warning on logs ?

Hello Brisy,
If I am not wrong you have developed an OD speech application where you are facing this vulnerability and not an OD Web application?
I feel the recommendations suggested are related to Web Application and not related to Speech Application.