Skip links

Security Header – Ignored X-Frame Options

What is Clickjacking

Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

For example, imagine an attacker who builds a web site that has a button on it that says “click here for a free iPod”. However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the “delete all messages” button directly on top of the “free iPod” button. The victim tries to click on the “free iPod” button but instead actually clicked on the invisible “delete all messages” button. In essence, the attacker has “hijacked” the user’s click, hence the name “Clickjacking”.

The server didn’t return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Set the X-Frame-Options header for all responses containing HTML content. The possible values are “DENY”, “SAMEORIGIN”, or “ALLOW-FROM uri”

X-Frame-Options Header Types
There are three possible values for the X-Frame-Options header:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

DENY, which prevents any domain from framing the content. The “DENY” setting is recommended unless a specific need has been identified for framing.
SAMEORIGIN, which only allows the current site to frame the content.
ALLOW-FROM uri, which permits the specified ‘uri’ to frame this page. (e.g., ALLOW-FROM http://www.example.com) Check Limitations Below this will fail open if the browser does not support it.

Examples
Configuring Apache :
Header always set X-Frame-Options SAMEORIGIN
Header set X-Frame-Options DENY
Header set X-Frame-Options “ALLOW-FROM https://example.com/”

Configuring nginx :
add_header X-Frame-Options SAMEORIGIN;

Configuring IIS :
To configure IIS to send the X-Frame-Options header, add this to your site’s Web.config file:
<system.webServer>

<httpProtocol>
<customHeaders>
<add name=”X-Frame-Options” value=”SAMEORIGIN” />
</customHeaders>
</httpProtocol>

</system.webServer>

Back

Contact Us

    Return to top of page