Clickjacking X Frame Options Header Missing

Web developers

Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Defending against Clickjacking

There are two main ways to prevent clickjacking:

  • Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
  • Employing defensive code in the UI to ensure that the current frame is the most top level window

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>,<iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.

There are three possible values for X-Frame-Options:

    DENY

  • The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN

  • The page can only be displayed in a frame on the same origin as the page itself.
  • ALLOW-FROM uri

  • The page can only be displayed in a frame on the specified origin.

Configuring Apache

To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration: Header append X-FRAME-OPTIONS "SAMEORIGIN" (you can add to .htaccess file or httpd.conf)


Configuring IIS

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:

  • Open Internet Information Services (IIS) Manager.
  • In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  • Double-click the HTTP Response Headers icon in the feature list in the middle
  • In the Actions pane on the right side, click Add.
  • In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  • Click OK to save your changes.

To configure IIS to send the X-Frame-Options header, add this your site's Web.config file:

<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>


Apache

The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod rewrite. mod rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file. There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.

Steps:

Search your apache configuration file(s) for mod_rewrite.so. If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
To enable rewrite engine,
RewriteEngine On
To disable option,
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
i.e.,
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]

Flags are set ? i.e. [F] for forbidden request, [R] for redirecting the page, likewise.

Note:

by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.

Tomcat

In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.

webapps/theAPP/WEB-INF/web.xml

// Sample Security Constraint
<security-constraint>
<web-resource-collection>
<web-resource-name>
<strong>restricted methods</strong>
</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>