| 
 
 
 | 
| Keep Server Online 
 If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
 
 or
 
 
   
 A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
 
 Thank You! Steffen
 
 Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
 |  | 
 | 
| | 
| | 
|  Topic: Mitigate ClickJacking attacks with Header X-Frame-Options |  |  
| Author |  |  
| Steffen Moderator
 
 
 Joined: 15 Oct 2005
 Posts: 3130
 Location: Hilversum, NL, EU
 
 | 
|  Posted: Tue 23 Apr '13 20:30    Post subject: Mitigate ClickJacking attacks with Header X-Frame-Options |   |  
| 
 |  
| The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. 
 There are three possible values for X-Frame-Options:
 
 DENY
 The page cannot be displayed in a frame, regardless of the site attempting to do so.
 
 SAMEORIGIN
 The page can only be displayed in a frame on the same origin as the page itself.
 
 ALLOW-FROM uri
 The page can only be displayed in a frame on the specified origin.
 
 At Apachelounge there is set in httpd.conf:
  	  | Code: |  	  | Header always append X-Frame-Options SAMEORIGIN | 
 
 For more info on Clickjacking, see for example:
 
 http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
 
 http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
 
 
 Steffen
 |  |  
| Back to top |  |  
| James Blond Moderator
 
  
 Joined: 19 Jan 2006
 Posts: 7442
 Location: EU, Germany, Next to Hamburg
 
 | 
|  Posted: Wed 24 Apr '13 10:37    Post subject: |   |  
| 
 |  
| in my PHP scripts I use some more 
 
  	  | Code: |  	  | header('X-Frame-Options: DENY');
 header('X-XSS-Protection: 1; mode=block');
 header('X-Content-Type-Options: nosniff');
 
 | 
 |  |  
| Back to top |  |  
| Jan-E 
 
 
 Joined: 09 Mar 2012
 Posts: 1283
 Location: Amsterdam, NL, EU
 
 |  |  
| Back to top |  |  
| Steffen Moderator
 
 
 Joined: 15 Oct 2005
 Posts: 3130
 Location: Hilversum, NL, EU
 
 | 
|  Posted: Wed 24 Apr '13 23:37    Post subject: |   |  
| 
 |  
| Yep. I follow him closely on twitter and php list where you are also active. 
 Steffen
 |  |  
| Back to top |  |  
 
 | 
 |  | 
 |  |