logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> How-to's & Documentation & Tips View previous topic :: View next topic
Reply to topic   Topic: Mitigate ClickJacking attacks with Header X-Frame-Options
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Tue 23 Apr '13 20:30    Post subject: Mitigate ClickJacking attacks with Header X-Frame-Options Reply with quote

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

There are three possible values for X-Frame-Options:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

At Apachelounge there is set in httpd.conf:
Code:
Header always append X-Frame-Options SAMEORIGIN


For more info on Clickjacking, see for example:

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx


Steffen
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Apr '13 10:37    Post subject: Reply with quote

in my PHP scripts I use some more

Code:

header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1248
Location: Amsterdam, NL, EU

PostPosted: Wed 24 Apr '13 23:13    Post subject: Reply with quote

@Steffen: inspired by PHP developer Pierre Joye? Or is it coincidental:
https://twitter.com/PierreJoye/status/326745772903243776
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Wed 24 Apr '13 23:37    Post subject: Reply with quote

Yep. I follow him closely on twitter and php list where you are also active.

Steffen
Back to top


Reply to topic   Topic: Mitigate ClickJacking attacks with Header X-Frame-Options View previous topic :: View next topic
Post new topic   Forum Index -> How-to's & Documentation & Tips