title: "Preventing Clickjacking or XSS Attacks from Frames with X-Frame-Options"
date: "2016-12-22"
categories:
- "system management"
tags: - "haproxy"
- "nginx"
Using embedded frames in web pages to steal traffic or for clickjacking and XSS attacks is quite common. However, this can be prevented by setting the X-Frame-Options in the HTTP response header. This solution only works for browsers that support X-Frame-Options.
The X-Frame-Options HTTP response header is used to indicate to the browser whether a page can be displayed in a ,
Using the X-Frame-Options property in the HTTP response header:
DENY: Indicates that the page should not be displayed in a frame, even if it is embedded in a page with the same domain.
SAMEORIGIN: Indicates that the page can be displayed in a frame within a page with the same domain.
ALLOW-FROM: Indicates that the page can be displayed in a frame from a specified source.
If you want to prevent others from using frames even if you don't use frames yourself, you can set it to DENY. If you use frames but want to prevent others from using frames, you can set it to SAMEORIGIN.
To implement this in Nginx configuration, add the following line:
add_header X-Frame-Options SAMEORIGIN;
To implement this in Haproxy configuration, add the following line:
rspadd X-Frame-Options:\ SAMEORIGIN
By doing so, you can effectively prevent XSS attacks from frames.
For more information, refer to: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options