Reputation: 131
Clickjacking protection using 'X-Frame-Options'?
I want to add clickjacking protection to my web site using X-Frame-Options. Several pages in my web site are shown in a frame so I want to protect them but at the same time present them properly. From what I understand I need to use the SAMEORIGIN option in the X-Frame-Options value. But what exactly does SAMEORIGIN means? Does it mean the same website? The offical description I found is not very clear regarding what does it mean that 2 pages share the same 'origin'... Can someone here help me with this? Thanks!
Upvotes: 0
Views: 5195
Answers (2)
Reputation: 103
Using X-Frame-Options customHeaders - add multiple uri/domains to the web.config?
solution -> add this to your web.config
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self' website1.com website2.com;"/>
</customHeaders>
</httpProtocol>
Upvotes: 0
Reputation: 5143
An "origin" is a website's scheme+host+port. That is, http://example.com/ has an origin of (http, example.com, 80). https://example.com/ is a different origin, namely (https, example.com, 443).
Setting the x-frame-options header to SAMEORIGIN for a page served from http://example.com/ means that only other pages on http://example.com/ would be able to load that page in a frame.
Upvotes: 1
Related Questions
- How to set X-Frame-Options Header in wordpress Site
- X-Frame-Options on Apache
- Set x-frame-options to allow and disallow certain URLs to frame a page
- How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks
- Respect X-Frame-Options with HTTP redirect
- X-Frames-Options in the meta tag
- X-Frame-Options header on error response
- How can I mitigate the vulnerability: "X-Frame-Options header is not set" in PHP?
- To stop ClickJacking, which one is more secure? breaking out of iframe vs X-Frame-Options to Deny or Same Origin
- How useful is the X-Frame-Options header in protecting against malicious framing?