New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How can I prevent other pages from loading PRTG in a frame?

Votes:

0

Your Vote:

Up

Down

I would like to block the possibility that the HTML pages of my PRTG installation can be loaded in an iframe. This security enhancement would help avoid potential attacks. How can I deny rendering PRTG pages in frames?

clickjacking frames iframe prtg reghack registry security x-frame

Created on Jun 11, 2014 4:13:57 PM by  Gerald Schoch [Paessler Support]



1 Reply

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 14.x.11 or later

Denying Other Sources to Load PRTG in Frames

PRTG Network Monitor provides the option to disallow rendering HTML pages from PRTG in frames (<frame>, <iframe>, <object>). The corresponding registry key option makes use of the X-Frame-Options HTTP response header. This security enhancement helps avoid clickjacking attacks on your PRTG installation.

You can use two values from X-Frame-Options with PRTG:

  • DENY: No site can load PRTG pages in frames. Caution: This option also prevents loading Maps!
  • SAMEORIGIN: Only sites on the PRTG server can load PRTG pages in frames. Depending on which option you choose, the result of this reghack is that the permission to load any HTML content of PRTG into a frame will be denied. For details, see also Mozilla Developer Network: The X-Frame-Options response header.

See below for further instructions about how to include the X-Frame-Options header to protect PRTG against clickjacking attacks.


Steps to Go

Caution: Please back up your system before manipulating the Windows registry!

  1. Open the registry editor and navigate to the following key:
    1. On a 64-bit Windows system, navigate to HKEY_LOCAL_MACHINE\Software\Wow6432Node\Paessler\PRTG Network Monitor\Server\Webserver
    2. On a 32-bit Windows version, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Paessler\PRTG Network Monitor\Server\Webserver
  2. Create a new String value:
    1. In the current path, right-click to open the context menu.
    2. Choose New | String.
    3. Name the new value xframeoptions
  3. Set the value of xframeoptions to DENY or SAMEORIGIN (see definitions above):
    1. Right-click on xframeoptions
    2. Select Modify….
    3. Enter the desired X-Frame-Options mode into the value field.
    4. Confirm with Ok.
  4. Reboot the server to activate the settings.

With this registry key option, HTML pages of PRTG cannot be loaded in frames anymore. With DENY this holds for all request sources (including PRTG Maps!), SAMEORIGIN allows using PRTG pages in frames as long as the site including the frame is on the same server as PRTG.

Created on Jun 11, 2014 4:17:34 PM by  Gerald Schoch [Paessler Support]

Last change on Aug 14, 2014 4:58:16 PM by  Gerald Schoch [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.