Monday, 19 November 2012

How to mitigate framesniffing with the X-Frame-Options header?


Understanding the Security Issue:
Imagine you have a page on your website, mypage1.aspx. This page can be hosted in an iframe and be shown on any pages and under any external domains and by anyone.

The problem is that when a page is hosted in an iframe, the parent page can steal the data which is communicated on the iframe page which means a decent attacker can benefit from this vulnerability.

Solution:
One possible solution to prevent these kind of security issues (doesn't work for old browsers) is to configure your IIS so that it only allows a page only being iframed in the domains you trust and prevent all other domains.

To restrict all external domains:

Put the below Field/Value pairs in the HTTPHeaders tab of your IIS Folder which contains your page:

X-Frame-Options = SAMEORIGIN
To allow an external domain:

X-Frame-Options = ALLOW-FROM http://google.com

Considerations:
  • Instead of adding the X-FRAME-OPTIONS on the site root, put it on each page which requires being protected.
  • For each page or folder, you can only specify one of the three main header values of "DENY, "ALLOW-FROM" or "SAMEORIGIN". You can't mix them unfortunately.
  • ALLOW-FROM does support only 1 origin, not multiple.
  • In IIS 6.0 you can put the header on each page needed but in IIS 7.0 it's not possible via IIS; the workaround for IIS 7.0 is via serverside code for the page.
  • Not all browsers support it. IE 8+ and some other browsers. More details: http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
More details:

No comments: