A nice way to improve your website against click-jacking and framing is now available for Internet Explorer 8, Safari 4 or Chrome 2. And for Firefox users who are using the No-Script plugin. You as web-developer only need to add a header:
or this one:
The first one won’t let your site display within a frame or iframe. The second one will only allow the display on your own site (measure by the domain name, I still need to check that for subdomains and http-equiv style headers in the html source). This is something a browser must read and follow, so this won’t work automatically out of the box. But it’s a protection that most modern browser already do support, so this is a cheap thing to setup and to protect your site (and with that naturally your site’s users).
Enable X-Frame-Options on your site
You can easily enable that option on your own website by adding a line to your apache webserver configuration or .htaccess file. You’re using apache, right?
Header append x-frame-options "SAMEORIGIN"
If you’re not using .htaccess or you can not configure your webserver, you can do this with a little line of PHP code as well:
- X-Frame-Options something web developers should know
- Clickjacking 2.0 mit Drag&Drop (german language)