This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice This article is not considered official documentation for K2 software and is provided “as is” with no warranties.

Issue

Security penetration tests conducted on a K2 environment may classify K2 sites to be vulnerable to clickjacking.

"Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages". (source

Symptoms

This site can be used to check whether a page is vulnerable to clickjacking.
Image

Troubleshooting Steps

Microsoft has an article published showing how this can be mitigated:

  1. Open the Internet Information Services (IIS) Manager.
  2. Expand Sites then select your K2 Site.
  3. Open HTTP Response Headers.
  4. Under the Actions pane, click Add.
  5. Add in the following header:
    Name: X-Frame-Options
    Value: SAMEORIGIN
    Image
  6. Click on OK.