What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

How can I prevent other pages from loading PRTG in a frame?

Votes:

0

I would like to block the possibility that the HTML pages of my PRTG installation can be loaded in an iframe. This security enhancement would help avoid potential attacks. How can I deny rendering PRTG pages in frames?

clickjacking frames iframe prtg reghack registry security x-frame

Created on Jun 11, 2014 4:13:57 PM by  Gerald Schoch [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

This article applies as of PRTG 20

Denying other sources to load PRTG in frames

PRTG provides the option to disallow the rendering of HTML pages from PRTG in frames (<frame>, <iframe>, <object>). The corresponding registry key option makes use of the X-Frame-Options HTTP response header. This security enhancement helps to avoid clickjacking attacks on your PRTG installation.

You can use two values from X-Frame-Options with PRTG:

  • DENY: No site can load PRTG pages in frames. Caution: This option also prevents Maps from being loaded.
  • SAMEORIGIN: Only sites on the PRTG core server can load PRTG pages in frames.

Depending on the option you choose, the result of this registry hack is that the permission to load any HTML content of PRTG into a frame will be denied. For details, see also Mozilla Developer Network: The X-Frame-Options response header.


Note: Regardless of the value you use in the registry key, PRTG never allows login forms in frames.


See below for further instructions on how to include the X-Frame-Options header to protect PRTG against clickjacking attacks.

Steps to take

Caution: Back up your system before manipulating the Windows registry!

  1. Open the registry editor and navigate to the following key:
    1. On a 64-bit Windows system, navigate to HKEY_LOCAL_MACHINE\Software\Wow6432Node\Paessler\PRTG Network Monitor\Server\Webserver
    2. On a 32-bit Windows version, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Paessler\PRTG Network Monitor\Server\Webserver
  2. Create a new String value:
    1. In the current path, right-click to open the context menu.
    2. Choose New | String.
    3. Name the new value xframeoptions.
  3. Set the value of xframeoptions to DENY or SAMEORIGIN (see definitions above):
    1. Right-click xframeoptions
    2. Select Modify.
    3. Enter the desired X-Frame-Options mode into the value field.
    4. Confirm with Ok.
  4. Restart the server to activate the settings.

With this registry key option, HTML pages of PRTG cannot be loaded in frames anymore. With DENY, this holds for all request sources (including Maps), SAMEORIGIN allows the use of PRTG pages in frames as long as the site including the frame is on the same server as PRTG.

Created on Jun 11, 2014 4:17:34 PM by  Gerald Schoch [Paessler Support]

Last change on Apr 23, 2020 8:55:22 AM by  Brandy Greger [Paessler Support]




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.