Recently I was flipping through some security issues faced by websites. Fortunately come across a new term "Click jacking"
I understood that this attack happens only if my website is loadable in an IFrame.
Further investigation helped to know that setting "x-frame-options" to "DENY" prevent the website been loaded in IFrame
But I Don't know how to implement this as I am very new to this domain?
In your Global.asax you can add the following
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN");
}
Just put following code under <system.webServer> section in web.config file
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY"/>
</customHeaders>
</httpProtocol>
NOTE : The
X-Frame-Optionsheader may contain one of three tokens.You either add any of these.Each one has its own significance.
- DENY
- SAMEORIGIN
- ALLOW-FROM origin
For details visit MSDN blog : Combating ClickJacking With X-Frame-Options
Have a look at this:
https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options#Configuring_Apache
It's basically a response header sent out on all responses. You can code your site to do this for each individual page, but a better approach, if you are able to edit the configuration for JUST YOUR SITE, is to handle it there...
Both APACHE and IIS should have options for this - the IIS one seems to be here:
http://support.microsoft.com/kb/2694329
