How to Configure the X-Frame-Options Header to Mitigate Clickjacking Attempts

General Use Case to Configure X-Frame-Options Header to Mitigate Clickjacking Attempts X-Frame-Options is a server-side method of combating clickjacking — see owasp or wikipedia for more information on both. Clickjacking, also known as a UI redress attack, is a method in which an attacker uses multiple transparent or opaque layers to trick a user into clicking a button or link on a page other than the one they believe they are clicking. Thus, the attacker is “hijacking” clicks meant for one page and routing the user to an illegitimate page.

Web site administrators should take precautions to protect your webpages from clickjacking attempts. This is an issue that concerns any server that serves up web pages.

A common method considered clickjacking is to use the HTML iframe feature to embed another server’s page within a given site’s page. Note this is not a bad thing in itself. It is used for many good purposes as an HTML feature to create an integrated experience. The objection occurs when a third-party site includes details surrounding the displayed iframe to trick a user. Or, they simply have no permission to include your page within theirs. The question is, how to prevent this?

A simple Web Server Header configuration will prevent Clickjacking . Many of the Applicaiton have WebServer .Hence it is recomeneted to contorl all the Headers with in the Webserver . Below Header is applicable for Redhat Apache Server, Oracle Http Server & IBM http Server .

Header always append X-Frame-Options: SAMEORIGIN

Configure above header in … and restart the server .
You can see the change reflected or not by verifing in the Broser headers .

Hope this helps!!!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *