Issue

Short description

Brief description of what happened
We are trying to add headers in red5 media server to avoid clickjacking, but unfortunately the headers aren't getting reflected, please get us a way to avoid the clickjacking vulnerability and how to add headers in red5 media server.

Environment

[] Operating system and version:
[] Java version: jdk8 we are using in red5
[] Red5 version: No idea how to find it.

@LakshmiPhani7680 could you provide more information on the exploit?

Hi @mondain,
Thank you for the response, In general if i want to add request or response headers for the red5 server where i need to add? web.xml file in /webapps/vod/ somewhere in it right? or anywhere else? cause the red5 server which we are using has this clickjacking vulnerability because it doesn't have the desired headers to avoid this vulnerability.

Hi @mondain,
Yeah sure, will send on monday. But can you please tell me in general how to add request/response headers like X-Frame-Options for Red5 media server?
Thank you

The default JEE container used in Red5 is Tomcat; so you'll want to look at that specifically. If I wanted to inject headers from the server side, I'd add a context listener or servlet filter.

Hi @mondain ,
Thank you for the response,
So without tomcat red5 won't work? or only the headers related?

The global web.xml for Tomcat is not used in Red5; each app has its own web.xml, so if you cannot sort it out there, you'll have to add a context listener or servlet filter.

I have added some tags in web.xml but not getting reflected, so placed proxy in front of red5, but just need to know like how to add for Red5 itself without using any other proxy servers.