Repair of web security problem without x-frame-options header information

X-frame-options response Header

X-frame-options HTTP response header is used to confirm whether the browser can render a page in a Frame or IFRAME tag, the site can use this header to ensure that their content will not be embedded in other sites, since the click to avoid hijacking.

Compromise: An attacker could use a transparent, invisible iframe, overwrite the target Web page, and then persuade the user to act on the page, when the user unknowingly clicks on the transparent IFRAME page. By adjusting the location of the IFRAME page, you can convince the user to just click on some of the functional buttons on the IFRAME page, causing it to be hijacked.

X-frame-options response Header
The X-frame-options HTTP response header is used to give the browser a sign that allows a page to be displayed in <frame>, </iframe> or <object>. Websites can use this feature to ensure that the content of their site is not embedded in someone else's website, and thus avoid click Hijacking (clickjacking) attacks.

Using X-frame-options
The x-frame-options has three values:

DENY
Indicates that the page is not allowed to be displayed in a frame, even if it is nested in a page of the same domain name.
Sameorigin
Indicates that the page can be displayed in a frame on the same domain Name page.
Allow-from URI
Indicates that the page can be displayed in a frame of the specified source.
In other words, if set to DENY, not only in other people's site frame embedding will not load, in the same domain Name page will also be unable to load. On the other hand, if set to Sameorigin, then the page can be nested in the frame with the Domain Name page.

Configure Apache

To configure Apache to send x-frame-options response headers on all pages, the following line needs to be added to the ' site ' configuration:

Header always append x-frame-options sameorigin

Configure Nginx

Configure the Nginx Send X-frame-options response header and add the following line to the configuration of ' http ', ' server ' or ' location '

Add_header x-frame-options Sameorigin;

Configure IIS

Configure IIS to send the x-frame-options response header, adding the following configuration to the Web. config file:

<system.webServer>
...

<customHeaders>
<add name= "x-frame-options" value= "Sameorigin"/>
</customHeaders>

...
</system.webServer>

Configure TOMCAT

"Click Hijack: X-frame-options Not Configured"

Because the project is using a Tomcat server, it is not possible to add it on each page:

　　　　　　

Response.AddHeader ("X-frame-options", "Sameorigin");
　　

So we use filters, the code is as follows:

HttpServletResponse response = (httpservletresponse) sresponse;
Response.AddHeader ("X-frame-options", "Sameorigin");
Specific filter configuration can read my blog post, this sentence
Response.AddHeader ("X-frame-options", "Sameorigin");
Add it to the inside;
Results

When Firefox tries to load the contents of a frame, if the X-frame-options response header is set to disable access, Firefox will show up in the frame with About:blank. Perhaps in some ways, it would be better to display the error message.

Copyright notice: This blog part of the data collected from the Internet, if there is infringement please contact me to delete.

Repair of web security problem without x-frame-options header information