|Requires Admin Access:||Yes|
|Credit:||Internal Security Team|
It is possible to "clickjack" the dotCMS admin console, which works in a frameset. We need to add the "X-Frame-Options: Deny" / "X-Frame-Options: Sameorigin" header to all requests (both CMS admin and end-user requests).
If you would like to include frame busting code, use a static plugin, override the /html/common/top_inc.jsp and include the appropriate response headers, like this: