X-Frame-Options header restricts web page's ability to open in a Frame. Opening in a frame can result a Clickjacking attack which the authentic page is open in a frame a place layer exactly on top of a login section which can capture usernames and passwords.
According to the 'X-Frame-Options response header' reference in Mozilla Developer site, There are three possible values for X-Frame-Options:
- DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so. - SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself. - ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.
From above 3 options DENY should be used every possible situation unless you use old fashion frames.
Example HEAD request reply to X-Frame-Option implemented web server.
[kasun@localhost ~]$ curl -I http://192.168.2.125 HTTP/1.1 200 OK Date: Tue, 22 Jul 2014 19:20:17 GMT Server: Apache X-Frame-Options: DENY Connection: close Content-Type: text/html; charset=UTF-8 [kasun@localhost ~]$
To implement this header in CentOS/Red Hat httpd (apache) run following command as root.
echo "Header always append X-Frame-Options DENY" > /etc/httpd/conf.d/x-frame-options-header.conf
Check the configuration by
httpd -t
Then reload httpd configuration.
service httpd reload
[root@server html]# echo "Header always append X-Frame-Options DENY" > /etc/httpd/conf.d/x-frame-options-header.conf [root@server html]# httpd -t Syntax OK [root@server html]# service httpd reload Reloading httpd: [root@center html]#
Image credits: http://blogs.technet.com
No comments:
Post a Comment