X-Frame-Options-Vulnerability/EN

Aus Siwecos
Wechseln zu: Navigation, Suche

Checking the HTTP header X-frame options

If the result is positive, there is no need for further action. If the result is negative, please read the following instructions.

Result positive The Header is set correctly and improves protection against framing attacks such as UI redressing and clickjacking.
Result negativ HTTP header X-Frame-Options not set.
Description X-Frame-Options helps to prevent attacks carried out by rendering content within a frame. This largely mitigates the risk of clickjacking attacks. Downgrading attacks, as known in the Internet Explorer, are also minimized.
Background This header entry determines whether a browser is allowed to render a page in a frame or iframe. This can prevent so-called clickjacking attacks by making sure that the website is not embedded in another website. The following options are available:

DENY: The page is not rendered if it is being loaded in a frame or iframe.
SAMEORIGIN: The page is only rendered if the frame or iframe is located in the same domain.
ALLOW-FROM DOMAIN: The page is not rendered if the domain is different from the domain specified here.

Consequence Prevents for example clickjacking attacks. Easy to implement, and requires no further adjustments on the website.
Solution/Tips If is was reported, that the HTTP header X-Frame-Options is not set, your website is not sufficiently protected from clickjacking attacks.

Set in the HTTP header X-Frame-Options according to your requirements. The X-Frame-Options field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages.

With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file:

Header always append X-Frame-Options DENY

Header always append X-Frame-Options DENY

Alternatively, you can permit the page to be embedded only in other pages within the same domain:

Header always append X-Frame-Options SAMEORIGIN

If a website must be embedded in an external page, a domain can be specified:

Header always append X-Frame-Options ALLOW-FROM botfrei.de

Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)