X-Frame-Options is not working in meta tag?

18k views Asked by At

I want to restrict my site content to be used in other domains through iframe control. The recommented meta tag i.e <meta http-equiv="X-Frame-Options" content="deny"> is not working. What can i do?

5

There are 5 answers

0
Simonluca Landi On

You can't set X-Frame-Options in a metatag, only using the HTTP header.

read more here:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

For example, if you are using Apache, you should add a line like this in the .htaccess file

Header set X-Frame-Options DENY
0
alaa_sayegh On

avoid doing it in meta-tag. do it in IIS, or in the application:

protected void Application_BeginRequest(object sender, EventArgs e)
{
  HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}

or

<httpProtocol>
  <customHeaders>
    <add name="X-Frame-Options" value="DENY" />
  </customHeaders>
</httpProtocol>

If you want to allow specific domains, then use allow-from option and not deny.

This header may not work with old browsers, for example Mozilla 3.0, so you need to implement also a client validation, named busting JS. check this here: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

0
Minhaz Ahmed On

Simply Use this in header, 100% working

<?php header( 'X-Frame-Options: DENY' ); ?>
0
Appetere On

If you need to add a header to a response, consider registering a callback to do this when the headers are about to be sent.

In between BeginRequest and the response being sent, the code could completely replace or clear the headers collection (though probably not, if you have written all the code yourself).

In this example, I have some downstream code which sometimes adds an x-frame-options header, but misses some HTML pages. So the code ensures the header is set in the callback:

protected void Application_BeginRequest()
{
    HttpContext.Current.Response.AddOnSendingHeaders(httpContext =>
    {
        if (isHtmlResponse() && hasNoFrameOptionsHeader())
        {
            httpContext.Response.AddHeader("x-frame-options", "SAMEORIGIN");
        }

        bool isHtmlResponse () {
            var contentTypeValue = httpContext.Response.Headers["content-type"];
            return contentTypeValue is null ? false : contentTypeValue.ToLower().Contains("text/html");
        }
        bool hasNoFrameOptionsHeader () => httpContext.Response.Headers["x-frame-options"] is null;
    });            
} 
0
user206 On

It will not work. Browser error: X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside .

Note: Setting the meta tag is useless! For instance, has no effect. Do not use it! Only by setting through the HTTP header like the examples below, X-Frame-Options will work.

Source Link

Configuring Apache:

Header set X-Frame-Options "deny"
Header always set X-Frame-Options "sameorigin"

Configuring nginx:

add_header X-Frame-Options sameorigin always;

Configuring IIS:

<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="sameorigin" />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>

X-Frame-Options is a mitigation technique for clickjacking attacks. It is an HTTP response header sent by the server to indicate under what circumstances page contents should be displayed in a frame context. A browser that understands the header will not display the contents of a page if the header directive is violated (for instance, if evil-example.com puts good-site.com in an iframe but good-site.com sends a header that says X-Frame-Options: DENY. Thus, no clickjacking can occur because no UI elements can be displayed to a victim. It provides no protection against CSRF. Read more: clickjacking and .. , Security through HTTP response