This article applies as of PRTG 20
Denying other sources to load PRTG in frames
PRTG provides the option to disallow the rendering of HTML pages from PRTG in frames (<frame>, <iframe>, <object>). The corresponding registry key option makes use of the X-Frame-Options HTTP response header. This security enhancement helps to avoid clickjacking attacks on your PRTG installation.
You can use two values from X-Frame-Options with PRTG:
- DENY: No site can load PRTG pages in frames. Caution: This option also prevents Maps from being loaded.
- SAMEORIGIN: Only sites on the PRTG core server can load PRTG pages in frames.
Depending on the option you choose, the result of this registry hack is that the permission to load any HTML content of PRTG into a frame will be denied. For details, see also Mozilla Developer Network: The X-Frame-Options response header.
Note: Regardless of the value you use in the registry key, PRTG never allows login forms in frames.
See below for further instructions on how to include the X-Frame-Options header to protect PRTG against clickjacking attacks.
Steps to take
Caution: Back up your system before manipulating the Windows registry!
- Open the registry editor and navigate to the following key:
- On a 64-bit Windows system, navigate to
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Paessler\PRTG Network Monitor\Server\Webserver
- On a 32-bit Windows version, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Paessler\PRTG Network Monitor\Server\Webserver
- Create a new String value:
- In the current path, right-click to open the context menu.
- Choose New | String.
- Name the new value xframeoptions.
- Set the value of xframeoptions to DENY or SAMEORIGIN (see definitions above):
- Right-click xframeoptions
- Select Modify.
- Enter the desired X-Frame-Options mode into the value field.
- Confirm with Ok.
- Restart the server to activate the settings.
With this registry key option, HTML pages of PRTG cannot be loaded in frames anymore. With DENY, this holds for all request sources (including Maps), SAMEORIGIN allows the use of PRTG pages in frames as long as the site including the frame is on the same server as PRTG.