X-Frame-Options-Vulnerability/EN/Solution Tips: Unterschied zwischen den Versionen
| (4 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| − | Set in the HTTP header according to your requirements. The '''X-Frame-Options''' field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages. | + | If is was reported, that the HTTP [[Header/EN|header]] X-Frame-Options is not set, your website is not sufficiently protected from [https://en.wikipedia.org/wiki/Clickjacking clickjacking attacks]. |
| + | |||
| + | Set in the HTTP [[Header/EN|header]] X-Frame-Options according to your requirements. The '''X-Frame-Options''' field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages. | ||
With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file: | With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file: | ||
| Zeile 5: | Zeile 7: | ||
Header always append X-Frame-Options DENY | Header always append X-Frame-Options DENY | ||
| − | + | Header always append X-Frame-Options DENY | |
| − | |||
| − | Header always append X-Frame-Options DENY | ||
| − | |||
| − | |||
Alternatively, you can permit the page to be embedded only in other pages within the same domain: | Alternatively, you can permit the page to be embedded only in other pages within the same domain: | ||
| − | + | Header always append X-Frame-Options SAMEORIGIN | |
| − | |||
| − | Header always append X-Frame-Options SAMEORIGIN | ||
| − | |||
| − | |||
If a website must be embedded in an external page, a domain can be specified: | If a website must be embedded in an external page, a domain can be specified: | ||
| − | + | Header always append X-Frame-Options ALLOW-FROM botfrei.de | |
| − | |||
| − | Header always append X-Frame-Options ALLOW-FROM botfrei.de | ||
| − | |||
| − | |||
| − | |||
| − | Here is an example of an .htaccess file which will set the ''' | + | Here is an example of an .htaccess file which will set the '''Header Scanner''' to green. |
| − | ([[Htaccess|.htaccess example | + | ([[Htaccess/EN|.htaccess example]]) |
Aktuelle Version vom 8. April 2019, 09:54 Uhr
If is was reported, that the HTTP header X-Frame-Options is not set, your website is not sufficiently protected from clickjacking attacks.
Set in the HTTP header X-Frame-Options according to your requirements. The X-Frame-Options field in the HTTP header can be used to determine whether a browser is allowed to render or embed the target page in a <frame>, <iframe> or <object>. Websites can use this header to deflect clickjacking attacks by preventing their content from being embedded in third party pages.
With the HTTP-Header command X-Frame-Options, modern web browsers can be instructed to prevent loading a page in a frame on another website. To do this, the following setting must be entered in the .htaccess file:
Header always append X-Frame-Options DENY
Header always append X-Frame-Options DENY
Alternatively, you can permit the page to be embedded only in other pages within the same domain:
Header always append X-Frame-Options SAMEORIGIN
If a website must be embedded in an external page, a domain can be specified:
Header always append X-Frame-Options ALLOW-FROM botfrei.de
Here is an example of an .htaccess file which will set the Header Scanner to green. (.htaccess example)
