Prevent ClickJacking

Question

Can you please let me know how to prevent clickjacking attack? Thanks in advance. I am using pure javascript for client side and VBscript for serverside. expecting which x-frame-option should I add to website and also how many steps should be taken to avoid clickjacking attack.

Answer 1

<DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title> clickjacking test</title><style>ifram ifram{position:absolute;top: 0; left: 0; width: 100%; height:100%; opacity: 0. /make ifram almost invisible */z-index: 10:} .cover {position: absolute; top: 0; left: 0; width: 100%; height: 100; z-index: 5;} </style> </head> <body> <div class="cover">click here to proceed</div> <iframe src="https://ww.example.com/country/eg/internship" frameborder="0"></iframe> </body>

Answer 2

You can prevent clickjacking by setting the server response header "X-Frame-Options" with either the value DENY (not allowed to frame) or SAMEORIGIN (only allowed to be framed on the same origin). There is also an ALLOW-FROM option, but it is basically not supported anymore.

But X-Frame-Options is now superseded by frame-ancestors directive of Content Security Policy, which you should use instead as it takes presedence over X-Frame-Options and is more flexible. You can use the options 'none' (no one is allowed to frame), 'self' (only allowed to be framed on the same origin) as well as adding any host name that is allowed to frame.

You could set the header as in this example

Response.AddHeader "Content-Security-Policy", "frame-ancestors 'self' <hostname1> <hostname2>;"