`

The X-Frame-Options response header

    博客分类:
  • Web
阅读更多

https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options

 

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Using X-Frame-Options

There are three possible values for X-Frame-Options:

DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

Configuring Apache

To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:

Header always append X-Frame-Options SAMEORIGIN

Configuring nginx

To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGIN;

Results

When an attempt is made to load content into a frame, and permission is denied by the X-Frame-Options header, Firefox currently renders about:blank into the frame. At some point, an error message of some kind will be displayed in the frame instead.

Browser compatibility

Feature Chrome Firefox (Gecko) Internet Explorer Opera

 Safari

Basic support 4.1.249.1042 3.6.9 (1.9.2.9) 8.0 10.5 4.0
ALLOW-FROM support Not supported 18.0 (18.0) bug 690168 8.0 Not supported WebKit bug 94836
分享到:
评论

相关推荐

    X-Frame-Options未配置漏洞修复参考v1.0.docx

    - **Tomcat**:对于基于Tomcat的Java应用,可以创建一个过滤器,添加`response.addHeader("x-frame-options","SAMEORIGIN");`以确保所有响应都包含这个头。 - **HAProxy**:在HAProxy的配置文件中,根据版本不同,...

    X-Frame-Options头未设置 防止网页被iframe内框架调用

    Response.AddHeader("X-Frame-Options", "Deny"); ``` - ASP: ``` &lt;%response.AddHeader "X-Frame-Options","Deny"%&gt; ``` **服务器配置** 在Web服务器层面,也可以全局设置X-Frame-Options。例如,在IIS中,...

    ignore X-Frame-Options-crx插件

    语言:中文 (简体) ...The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a or . Using this plugin to remove it!

    Web应用服务器安全:攻击、防护与检测

    - **Java Servlets**:`response.addHeader("x-frame-options", "DENY");` #### 跨站脚本(Cross-Site Scripting, XSS) 跨站脚本攻击是指攻击者利用目标网站的漏洞,在页面中插入恶意脚本,当其他用户浏览这些...

    DevExpress VCL 12.2.6(v2012vol2.6) 源码-例子-帮助-part1

    Q373762 - Ribbon Form - Restoring down a minimized application incorrectly resizes the Windows Aero Glass frame after the Ribbon form was programmatically hidden when minimizing the application ...

    DevExpress VCL 12.2.6(v2012vol2.6) 源码-例子-帮助-part2

    Q373762 - Ribbon Form - Restoring down a minimized application incorrectly resizes the Windows Aero Glass frame after the Ribbon form was programmatically hidden when minimizing the application ...

    ASP.NET源码——Asp.net防盗链实例源码.zip

    3. **设置Header**:对于某些浏览器,可能可以通过修改Response Header中的`X-Frame-Options`或`Content-Security-Policy`来防止资源被嵌入到其他网站的框架中。 4. **图片防盗链**:对于图片资源,可以创建一个ASP...

    怎样实现Ajax 跨域访问

    Response.ContentType = "application/x-javascript"; Response.Write(String.Format(@"{0}('{1}');", f, DateTime.Now)); Response.End(); } ``` #### 二、通过`&lt;img&gt;`或`&lt;script&gt;`标签加载数据 利用`&lt;img&gt;`和...

    php.ini-development

    The following are all the settings which are different in either the production ; or development versions of the INIs with respect to PHP's default behavior. ; Please see the actual settings later in...

    python3.6.5参考手册 chm

    The Future for Python 2.x Changes to the Handling of Deprecation Warnings Python 3.1 Features PEP 372: Adding an Ordered Dictionary to collections PEP 378: Format Specifier for Thousands Separator...

Global site tag (gtag.js) - Google Analytics