I have a Dynamic website in which i have to make secure from clickjacking attack. In database getting these type of values while searching i was know little more about clickjacking but exactly is what not getting so Please anyone who knows help me out.
There are three main ways to prevent clickjacking: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. The older X-Frame-Options HTTP headers is used for graceful degradation and older browser compatibility.
A better approach to prevent clickjacking attacks is to ask the browser to block any attempt to load your website within an iframe. You can do it by sending the X-Frame-Options HTTP header. Start from the original sample project by following the instructions given in the Set up the environment section.
The X-Frame-Options HTTP header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> or <object> tag. It was designed specifically to help protect against clickjacking.
The CSP provides the client browser with information about permitted sources of web resources that the browser can apply to the detection and interception of malicious behaviors. The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application's Content Security Policy.
X-FRAME-Options
Add this code in global.asax file.
protected void Application_BeginRequest(object sender, EventArgs e) { HttpContext.Current.Response.AddHeader("x-frame-options", "DENY"); }
OR
simply add this to <system.webServer>
in your Web.Config file
<!--Clickjacking security--> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="DENY" /> </customHeaders> </httpProtocol> <!--End clickjacking-->
This small snippet adds a http header called x-frame-options to your http responses and prevents your site being loaded in an iframe in "modern" browsers.
There are 3 values possible to X-Frame-Options:
Try Best-for-now Legacy Browser Frame Breaking Script
One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header.
In the document HEAD element, add the following:
First apply an ID to the style element itself:
<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:
<script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = self.location; } </script>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With