AlphaTrust e-Sign
Security

iFrame Support

By default, AlphaTrust e-Sign prevents its signing pages from being embedded in iFrames. This is a security best practice to protect against clickjacking attacks.

Why iFrames Are Disabled by Default

Clickjacking Protection

Clickjacking (also known as "UI redress attack") is a malicious technique where an attacker tricks users into clicking on something different from what they perceive. In a clickjacking attack:

  1. An attacker creates a malicious website
  2. The attacker embeds your legitimate signing page in a hidden or transparent iFrame
  3. The attacker overlays deceptive UI elements on top
  4. Users believe they are interacting with the visible page, but their clicks are actually captured by the hidden iFrame containing your signing application

This could potentially trick users into:

  • Signing documents they didn't intend to sign
  • Approving transactions without their knowledge
  • Disclosing sensitive authentication credentials

Security Headers

AlphaTrust e-Sign uses the X-Frame-Options HTTP response header to prevent browsers from rendering the application within an iFrame. This header instructs browsers to block any attempt to embed the page in a <frame>, <iframe>, <embed>, or <object> element.

Security Consideration

Only enable iFrame support if you have a legitimate business requirement and understand the security implications. When enabling iFrame support, ensure you have other security measures in place such as Content Security Policy (CSP) headers with appropriate frame-ancestors directives.

Enabling iFrame Support

If you have a valid business requirement to embed the AlphaTrust e-Sign signing application within an iFrame (such as embedding within your own secure portal), you can enable iFrame support by modifying the Web.config files.

Configuration Files to Modify

You will need to modify two Web.config files:

  1. Sign Application: /AlphaTrust/Pronto/WebApps/Sign/Web.config
  2. Sign API: /AlphaTrust/Pronto/WebApps/SignApi/Web.config

Steps to Enable iFrame Support

  1. Open each Web.config file in a text editor with administrator privileges.
  2. Locate the <customHeaders> section within <system.webServer><httpProtocol>:
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="DENY" />
    </customHeaders>
  </httpProtocol>
</system.webServer>
  1. Comment out the X-Frame-Options header node. Use a tight comment format to preserve the original configuration for reference during updates:
<system.webServer>
  <httpProtocol>
    <customHeaders>
      <!--<add name="X-Frame-Options" value="DENY" />-->
    </customHeaders>
  </httpProtocol>
</system.webServer>
Update Preservation

Using the tight comment format <!--<add .../>--> ensures that during product updates, the installer recognizes that the node was intentionally commented out rather than missing, preventing it from being automatically re-added.

  1. Save the Web.config files.

Alternative: Restrict to Specific Origins

Instead of completely disabling frame protection, consider using the SAMEORIGIN value or implementing Content Security Policy headers to restrict which domains can embed your signing application:

Option 1: Allow Same Origin Only

<add name="X-Frame-Options" value="SAMEORIGIN" />

Option 2: Use Content Security Policy (Recommended)

<add name="Content-Security-Policy" value="frame-ancestors 'self' https://yourdomain.com" />
Important

The X-Frame-Options header with ALLOW-FROM directive is deprecated and not supported by modern browsers. Use Content Security Policy frame-ancestors directive instead for origin-specific restrictions.

Reverting to Default Security

To re-enable clickjacking protection, simply uncomment the X-Frame-Options nodes in both Web.config files:

<customHeaders>
  <add name="X-Frame-Options" value="DENY" />
</customHeaders>

Encrypting File System (EFS)

How to use Windows Server EFS to secure AlphaTrust e-Sign data.

System Requirements FAQ

Frequently asked questions about system requirements.