Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing my ASP.net MVC3 Website aganist "Click jacking"

Tags:

visual-studio-2010

asp.net-mvc-3

Recently I was flipping through some security issues faced by websites. Fortunately come across a new term "Click jacking"

I understood that this attack happens only if my website is loadable in an IFrame.

Further investigation helped to know that setting "x-frame-options" to "DENY" prevent the website been loaded in IFrame

But I Don't know how to implement this as I am very new to this domain?

like image 362
Robert_Junior Avatar asked Nov 18 '13 11:11

Robert_Junior

People also ask

What can be used to safeguard against clickjacking?

There are three main ways to prevent clickjacking: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. The older X-Frame-Options HTTP headers is used for graceful degradation and older browser compatibility.

What is clickjacking attack?

Clickjacking is an attack that fools users into thinking they are clicking on one thing when they are actually clicking on another. Its other name, user interface (UI) redressing, better describes what is going on.

What is the severity of clickjacking?

Clickjacking is not considered a serious issue because it is hard to manipulate. I believe this is the most common reason. Some web developers consider clickjacking lower risk since it is harder to get sensitive information from an end-user, as compared with other attacks like XSS and SQL injection.

Is clickjacking still possible?

Clickjacking attacks are possible whenever websites can be framed. Therefore, preventative techniques are based upon restricting the framing capability for websites. A common client-side protection enacted through the web browser is to use frame busting or frame breaking scripts.

2 Answers

In your Global.asax you can add the following

protected void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN");
}
like image 183
Cloud SME Avatar answered Sep 22 '22 13:09

Cloud SME

Just put following code under <system.webServer> section in web.config file

<httpProtocol>
  <customHeaders>
    <add name="X-Frame-Options" value="DENY"/>
  </customHeaders>
</httpProtocol>

NOTE : The X-Frame-Options header may contain one of three tokens.You either add any of these.Each one has its own significance.

  • DENY
  • SAMEORIGIN
  • ALLOW-FROM origin

For details visit MSDN blog : Combating ClickJacking With X-Frame-Options

like image 24
Malik Khalil Avatar answered Sep 19 '22 13:09

Malik Khalil
Sign in to Comment

Related questions

VISUAL STUDIO 2010: How to output all projects under a solution to the same directory
Make Resharper Code Inspection exclude folder
How to get the data from a USB port in VB.NET
Simple way to send debug information to the Visual Studio 'Output' window
Cannot select Main Method as Startup object in Visual Studio Express 2010?
Adding shortcut to setup project in visual studio 2010
To run this application, you first must install .Net 4.5
iframe parser error (HtmlIframe/HtmlGenericControl) but still using .NET 4.0 (not .NET 4.5)
How to generate C# documentation to a CHM or HTML file?
How to see .net library source code with ReSharper 5 and visual studio 2010?
Is the Optional Parameter in C# 4 Backwards Compatible?
Remove an old namespace from a g.cs File?
How to rebuild VS2010 IDE Intellisense?
debug a project with references in Visual studio
using Properties.Settings for application settings
How to make Unit Tests aware of Application.Resources
make_unique does not compile
How does `__declspec(align(#))` work?
DropDownList has a SelectedValue which is invalid because it does not exist in the list of items. Parameter name: value
Adding Image to System.Net.Mail Message

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!