The Horizon Connection Server must have X-Frame-Options enabled.
An XCCDF Rule
Description
RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is enabled by default on the Horizon Connection Server. It can be disabled by adding the entry "x-frame-options=OFF" to the locked.properties file, usually for troubleshooting purposes. The default configuration must be verified and maintained.
- ID
- SV-246907r768681_rule
- Version
- HRZV-7X-000026
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
On the Horizon Connection Server, navigate to "<install_directory>\VMware\VMware View\Server\sslgateway\conf".
Open "locked.properties" in a text editor. Remove the following line:
X-Frame-Options=OFF
Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.