X-Frame-Options-Vulnerability/EN/Solution Tips: Unterschied zwischen den Versionen
(Die Seite wurde neu angelegt: „Set in the HTTP-Header according to your requirements. The '''X-Frame-Options''' field in the HTTP header can be used to determine whether a B…“) |
|||
Zeile 1: | Zeile 1: | ||
− | Set in the | + | Set in the HTTP header according to your requirements. The '''X-Frame-Options''' field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages. |
With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file: | With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file: | ||
Zeile 29: | Zeile 29: | ||
Here is an example of an .htaccess file which will set the '''HTTP-Security-Header-Scanner''' to green. | Here is an example of an .htaccess file which will set the '''HTTP-Security-Header-Scanner''' to green. | ||
− | ([[Htaccess|.htaccess | + | ([[Htaccess|.htaccess example (German only]]) |
Version vom 6. Februar 2019, 15:56 Uhr
Set in the HTTP header according to your requirements. The X-Frame-Options field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages.
With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file:
Header always append X-Frame-Options DENY
--snip
Header always append X-Frame-Options DENY
—snap
Alternatively, you can permit the page to be embedded only in other pages within the same domain:
--snip
Header always append X-Frame-Options SAMEORIGIN
—snap
If a website must be embedded in an external page, a domain can be specified:
--snip
Header always append X-Frame-Options ALLOW-FROM botfrei.de
—snap
Here is an example of an .htaccess file which will set the HTTP-Security-Header-Scanner to green.
(.htaccess example (German only)