Save 15% on Instant Deploy Bare-Metal Servers in 26 Global Markets with Coupon Code: EdgeSave

How to Enable Protection Against Clickjacking in Plesk Onyx

If you’re a Plesk user running the Plesk Onyx control panel, your server might be vulnerable to a malicious technique known as clickjacking. For those unfamiliar with the term, clickjacking (also known as a “UI redress attack”) is a technique involving transparent overlays where a user is tricked into clicking something different than they perceive. By placing these transparent overlays over images, links, or buttons online, malicious actors can gain access to your server, allowing them to execute harmful commands or extract data. When Plesk is opened within a frame (or separate area of a webpage), it leaves users vulnerable to this type of attack.

So how can you protect yourself from clickjacking? Luckily, you can prevent your server from being clickjacked using the sameOriginOnly setting in the panel.ini file.

*NOTE: This solution works by preventing Plesk pages from opening within frames on any website. This includes all domains and is not exclusive to sites that may be malicious in origin.

 

Enabling Clickjacking Protection in Plesk

To protect your server from clickjacking, just follow these 5 steps:

  1. For Linux, you’ll first need to log in to your Plesk Onyx server as the root user using your preferred ssh client.
     
  2. Next, edit the file panel.ini located at /usr/local/psa/admin/conf using the command:
     
    nano /usr/local/psa/admin/conf/panel.ini
     
  3. If the file does not already exist, create it using the touch command.
     
  4. Within the /conf file, add the following lines:
     
    [security]

     
    sameOriginOnly = true
     
  5. Finally, just save the file and you are done.

And there you have it! Your server is now protected from clickjacking.

 

Need More Personalized Help?

If you have any further issues, questions, or would like some assistance checking on this or anything else, please reach out to us from your my.hivelocity.net account -> Support and provide your server credentials within the encrypted field for the best possible security and support.

If you are unable to reach your my.hivelocity.net account or if you are on the go, please reach out from your valid my.hivelocity.net account email to us here at: support@hivelocity.net. We are also available to you through our phone and live chat system 24/7/365.

 

Additional Links:

Looking for more information on Plesk? Search our Knowledge Base!  

In need of more great content? Interested in VPS, Private Cloud, or Colocation? Check out our recent posts for more news, guides, and industry insights!

Share on Twitter
Share on Facebook