Security Click Jacking Prevention

security-click-jacking

// Security - Clickjacking - Prevention:

There are a few employed techniques to prevent clickjacking, each with 
limitations:

1. Use Frame-Busting Scripts:  The most commonly used approach is to use a 
   frame-busting script to prevent an attacker from loading your web site in 
   an iframe.  The script attempts to detect if the page is loaded in a frame.  
   If detected, it will prevent the page from loading.  For this technique to 
   work, the site owner has to include the script on every page.  While this 
   is the most popular solution to clickjacking, a lot of frame-busting scripts 
   have known bypasses that an attacker can use to get around their protection.

2. Use X-Frame Options: Another clickjacking protection is to use an HTTP header 
   introduced in IE8 called X-FRAME-OPTIONS.  This header works like frame-
   busting scripts in that it enables the site owner to set restrictions on 
   where pages can be loaded.  This header can be set to one of three values:

   1. DENY: Prevents the page from loading in a frame completely.

   2. SAMEORIGIN: Allows this page to be loaded inside a frame if the origin is 
      the same.

   3. ALLOW-FROM: Enable framing only from a specific URL.

   Depending on your user base, enabling this header might not be a full 
   solution because a lot of legacy browser do not support X-FRAMES-OPTIONS.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

// Apache:
Header always append X-Frame-Options SAMEORIGIN

// Nginx:
add_header X-Frame-Options SAMEORIGIN;
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License