logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



Mitigate ClickJacking attacks with Header X-Frame-Options

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2574
Location: Hilversum, NL, EU

PostPosted: Tue 23 Apr '13 20:30    Post subject: Mitigate ClickJacking attacks with Header X-Frame-Options Reply with quote

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

There are three possible values for X-Frame-Options:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

At Apachelounge there is set in httpd.conf:
Code:
Header always append X-Frame-Options SAMEORIGIN


For more info on Clickjacking, see for example:

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6225
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Apr '13 10:37    Post subject: Reply with quote

in my PHP scripts I use some more

Code:

header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 785
Location: Amsterdam, NL, EU

PostPosted: Wed 24 Apr '13 23:13    Post subject: Reply with quote

@Steffen: inspired by PHP developer Pierre Joye? Or is it coincidental:
https://twitter.com/PierreJoye/status/326745772903243776
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2574
Location: Hilversum, NL, EU

PostPosted: Wed 24 Apr '13 23:37    Post subject: Reply with quote

Yep. I follow him closely on twitter and php list where you are also active.

Steffen
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1