X-Frame-Options-Vulnerability/EN/Solution Tips

Aus Siwecos
Version vom 8. April 2019, 09:54 Uhr von Siwebot (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Wechseln zu: Navigation, Suche

If is was reported, that the HTTP header X-Frame-Options is not set, your website is not sufficiently protected from clickjacking attacks.

Set in the HTTP header X-Frame-Options according to your requirements. The X-Frame-Options field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages.

With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file:

Header always append X-Frame-Options DENY 

Header always append X-Frame-Options DENY

Alternatively, you can permit the page to be embedded only in other pages within the same domain: 

Header always append X-Frame-Options SAMEORIGIN

If a website must be embedded in an external page, a domain can be specified: 

Header always append X-Frame-Options ALLOW-FROM botfrei.de

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)

Abgerufen von „https://www.siwecos.de/wiki/index.php?title=X-Frame-Options-Vulnerability/EN/Solution_Tips&oldid=9642