The X-Frame-Options response header

Restricting your page being used in IFrames (click jacking)

I found this header option repeating in many guidelines for securing the web application.

By adding these headers to response, it restricts browser to load your page into an iFrame tag.

For ASP.NET you can do it in two ways:

1. Adding headers on request start in your global.asax file

void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("X-FRAME-OPTIONS", "DENY");
}
    

2. Adding headers in web.config

<configuration>
	...
	<system.webserver>
		<httpProtocol>
		  <customHeaders>
			<add name="X-Frame-Options" value="DENY" />
		  </customHeaders>
		</httpProtocol>
	</system.webserver>
	...
</configuration>
    

Whichever method you use, it will work and your content will not be loaded into other websites pages.

Headers options can have the following possible values:

  • SAMEORIGIN - allows page to be loaded in an iframe only if container page and iframe page are loaded from the same domain
  • DENY - disallows page to be loaded in an iframe (regardless of the domain)
  • ALLOW - allows page to be loaded on any other web page (regardless of the domain)

Unfortunately, these headers are not supported by all browsers, but are supported by newer version of top popular browsers used on the majority of computers now-days.

Note

If you are using any CMS which backend relies on iframes, you should set this header value to SAMEORIGIN so you do not run into an issue

This feature along with cross-domain scripting restriction makes a solid security against forgery websites.

It is recommended to use these headers for ASP.NET websites, especially for those who have some type of payment or sending sensitive user informations.

This website has these settings in web.config, so if you try to load it in an iframe in your browser you will probably get an empty document in iframe. Various browsers implement this different, so for some you might get an empty document in iframe (Firefox) or an error page.

 

References

Disclaimer

Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.


About the author

DEJAN STOJANOVIC

Dejan is a passionate Software Architect/Developer. He is highly experienced in .NET programming platform including ASP.NET MVC and WebApi. He likes working on new technologies and exciting challenging projects

CONNECT WITH DEJAN  Loginlinkedin Logintwitter Logingoogleplus Logingoogleplus

JavaScript

read more

SQL/T-SQL

read more

Umbraco CMS

read more

PowerShell

read more

Comments for this article