X-Frame-Options-Vulnerability/EN: Unterschied zwischen den Versionen
(Die Seite wurde neu angelegt: „=== <span style="color:#c31622">{{:{{PAGENAME}}/Headline}}<span>=== {| class="wikitable" |'''Check'''|| {{:{{PAGENAME}}/Negative}} |- |'''Beschreibung'''…“) |
|||
Zeile 15: | Zeile 15: | ||
[[Category:Siwecos-Scanner]] | [[Category:Siwecos-Scanner]] | ||
− | + | {{:{{PAGENAME}}/Category}} | |
[[Category:Glossar]] | [[Category:Glossar]] |
Version vom 8. März 2019, 09:20 Uhr
Checking the HTTP header X-frame options
Check | HTTP header X-Frame-Options not set. |
Beschreibung | X-Frame-Options helps to prevent attacks carried out by rendering content within a frame. This largely mitigates the risk of clickjacking attacks. Downgrading attacks, as known in the Internet Explorer, are also minimized. |
Hintergrund | This header entry determines whether a browser is allowed to render a page in a frame or iframe. This can prevent so-called clickjacking attacks by making sure that the website is not embedded in another website. The following options are available:
DENY: The page is not rendered if it is being loaded in a frame or iframe. |
Auswirkung | Prevents for example clickjacking attacks. Easy to implement, and requires no further adjustments on the website. |
Lösung / Tipps | If is was reported, that the HTTP header X-Frame-Options is not set, your website is not sufficiently protected from clickjacking attacks.
Set in the HTTP header X-Frame-Options according to your requirements. The X-Frame-Options field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages. With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file: Header always append X-Frame-Options DENY Header always append X-Frame-Options DENY Alternatively, you can permit the page to be embedded only in other pages within the same domain: Header always append X-Frame-Options SAMEORIGIN If a website must be embedded in an external page, a domain can be specified: Header always append X-Frame-Options ALLOW-FROM botfrei.de Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example) |