Breaking

Saturday, August 3, 2019

How to Combat Clickjacking ?


HTTP security headers provide yet another layer of security by helping to mitigate attacks and security vulnerabilities by telling your browser how to behave. In this post we will be diving more in-depth into x-frame-options (XFO), which is a header that helps to protect your visitors against clickjacking attacks. It is recommended that you use the x-frame-options header on pages which should not be allowed to render a page in a frame.

Enable on IIS

#

To enable on IIS simply add it to your site’s Web.config file.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>

X-Frame-Options Browser Support
#

It is important to realize that not all browsers support the ALLOW-FROM directive. So be careful if you are using that. All modern browsers do support the DENY and SAMEORIGIN directives. For legacy browsers, such as IE7 for example, your best solution currently is to use what they call a frame-breakeror frame-buster.
BrowserDENY/SAMEORIGIN SupportALLOW-FROM support
Chrome4.1+No support
EdgeYesNA
Firefox1.9.2+18.0+
Internet Explorer8.0+9.0+
Opera10.50+?
Safari4.0+?

No comments:

Post a Comment