banner
李大仁博客

李大仁博客

天地虽大,但有一念向善,心存良知,虽凡夫俗子,皆可为圣贤。

X-Frame-Options prevents frame hijacking or XSS attacks.

Using embedded frames in web pages to leech or redirect traffic is quite common and can also be used for XSS attacks. If you are affected, you can solve this issue by setting the X-Frame-Options in the HTTP response header. This solution only works for browsers that support X-Frame-Options.

The X-Frame-Options HTTP response header is used to indicate to the browser whether a page can be displayed in a ,

Using the X-Frame-Options attribute in the HTTP response header

The X-Frame-Options attribute parameters are:

DENY: Indicates that the page should not be displayed in a frame, even if it is nested in a page with the same domain.

SAMEORIGIN: Indicates that the page can be displayed in a frame within a page with the same domain.

ALLOW-FROM: Indicates that the page can be displayed in a frame from a specified source.

If you don't use frames yourself but want to prevent others from using frames, you can set it to DENY. If you use frames yourself but want to prevent others from using frames, you can set it to SAMEORIGIN.

Add the following to the Nginx configuration:

add_header X-Frame-Options SAMEORIGIN;

Add the following to the Haproxy configuration:

rspadd X-Frame-Options:\ SAMEORIGIN

This effectively prevents XSS attacks from frames.

Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.