Control your site’s usage in frames

A nice way to improve your website against click-jacking and framing is now available for Internet Explorer 8, Safari 4 or Chrome 2. And for Firefox users who are using the No-Script plugin. You as web-developer only need to add a header:

X-FRAME-OPTIONS: DENY

or this one:

X-FRAME-OPTIONS: SAMEORIGIN

The first one won’t let your site display within a frame or iframe. The second one will only allow the display on your own site (measure by the domain name, I still need to check that for subdomains and http-equiv style headers in the html source). This is something a browser must read and follow, so this won’t work automatically out of the box. But it’s a protection that most modern browser already do support, so this is a cheap thing to setup and to protect your site (and with that naturally your site’s users).

Enable X-Frame-Options on your site

You can easily enable that option on your own website by adding a line to your apache webserver configuration or .htaccess file. You’re using apache, right?

Header append x-frame-options "SAMEORIGIN"

If you’re not using .htaccess or you can not configure your webserver, you can do this with a little line of PHP code as well:

header('X-FRAME-OPTIONS: SAMEORIGIN');

References

Read on: Prevent XSS on your wordpress Blog with CSP

This entry was posted in Hakre's Tips, Surviving the Internet and tagged , , , , , , , . Bookmark the permalink.

One Response to Control your site’s usage in frames

  1. Pingback: Prevent XSS on your wordpress Blog with CSP | hakre on wordpress

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s