Web Application Security

X-Frame-Options

What is it and why should I care?

X-Frame-Options (moving towards just Frame-Options in a draft spec – dropping the X-) is a new technology that allows an application to specify whether or not specific pages of the site can be framed. This is meant to help prevent the clickjacking problem.

The technology is implemented as an HTTP response header that is specified per-page. Browsers supporting the (X-)Frame-Options header will respect the declaration of the page, and then either allow or disallow the page to be framed, depending upon the specification.

What should I do about it?

Yet again, this is a very low-risk item that provides extra assurance. There are some limitations that may prevent the header from offering protection in every instance, but X-Frame-Options does NOT make you less safe. Instead, it gives you an additional layer of protection.

A page can specify 3 different options for how it wants to be framed (samples are in Java pseudo-code form):

Option 1: DENY

This option means the page can never be framed by any page, including a page with the same origin. A sample code snippet is below:

HttpServletResponse response …;

response.addHeader(“X-FRAME-OPTIONS”, “DENY”);

Option 2: SAMEORIGIN

This option means the page can be framed, but only by another page with the same origin. A sample code snippet is below:

HttpServletResponse response …;

response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);

Option 3: Allow-From

This option means the page can be framed, but only by the specified origin. A sample code snippet is below:

HttpServletResponse response …;

response.addHeader(“X-FRAME-OPTIONS”, “Allow-From https://some.othersite.com”);

As an additional help, the good folks at OWASP have put together a simple example J2EE filter for X-Frame-Options.

(X-)Frame-Options is a good additional layer of protection to prevent clickjacking on your site. While it won’t stop everything, it costs very little, and will help protect your users.

References

­­­­­­­­­­___________________________

https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

https://www.owasp.org/index.php/Clickjacking#Defending_with_response_headers

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

http://blog.mozilla.com/security/2010/09/08/x-frame-options/

http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html

http://www.jtmelton.com/2012/02/03/year-of-security-for-java-week-5-clickjacking-prevention/

http://tools.ietf.org/html/draft-gondrom-frame-options