banner
李大仁博客

李大仁博客

天地虽大,但有一念向善,心存良知,虽凡夫俗子,皆可为圣贤。

X-Frame-Options prevents frame hijacking or XSS attacks.

title: "Preventing Clickjacking or XSS Attacks from Frames with X-Frame-Options"
date: "2016-12-22"
categories:

  • "system management"
    tags:
  • "haproxy"
  • "nginx"

Using embedded frames in web pages to steal traffic or for clickjacking and XSS attacks is quite common. However, this can be prevented by setting the X-Frame-Options in the HTTP response header. This solution only works for browsers that support X-Frame-Options.

The X-Frame-Options HTTP response header is used to indicate to the browser whether a page can be displayed in a ,

Using the X-Frame-Options property in the HTTP response header:

DENY: Indicates that the page should not be displayed in a frame, even if it is embedded in a page with the same domain.

SAMEORIGIN: Indicates that the page can be displayed in a frame within a page with the same domain.

ALLOW-FROM: Indicates that the page can be displayed in a frame from a specified source.

If you want to prevent others from using frames even if you don't use frames yourself, you can set it to DENY. If you use frames but want to prevent others from using frames, you can set it to SAMEORIGIN.

To implement this in Nginx configuration, add the following line:

add_header X-Frame-Options SAMEORIGIN;

To implement this in Haproxy configuration, add the following line:

rspadd X-Frame-Options:\ SAMEORIGIN

By doing so, you can effectively prevent XSS attacks from frames.

For more information, refer to: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.