X-Frame-Options not working IIS web.config

Question

Our site is not currently safe from clickjacking, so I went into the web.config and added

<system.webServer>     <httpProtocol>         <customHeaders>             <add name="X-Frame-Options" value="DENY" />         </customHeaders>     </httpProtocol> </system.webServer> 

This is very straight forward code. My issue is that it's just not working. The questions I have are:

1. Is there a way for me to see if the X-Frame-Options is in the header response? I looked for it with httpfox and got nothing, so I can't verify if the web.config is actually putting things in the header.
2. Why is this not working? What can I do to test or move forward?

I did try to add it in the Global.asax in the Application_Start method, but I cant seem to "hit" this method when I debug; it does not hit breakpoints.

private void Application_Start(object sender, EventArgs e) {     // Code that runs on application startup     HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");      LogHelper.Info("Cost of Care Web Application Starting"); } 

I would like to add that I have tried to add it straight into the head tag and I've also tried to add it in a meta tag like so

<meta http-equiv="X-Frame-Options" content="deny"> 

Answer 1

The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:

1. Open Internet Information Services (IIS) Manager.
2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
3. Double-click the HTTP Response Headers icon in the feature list in the middle.
4. In the Actions pane on the right side, click Add.
5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN or DENY in the Value field.
6. Click OK to save your changes.

Answer 2

Since my comments answered the question here's the end result:

For some reason setting the X-Frame-Options in web.config doesn't seem to actually work even though the documentation makes it sound like it should.

An easy work around is to set the headers manually using:

Response.AddHeader("X-Frame-Options", "DENY"); 

If you need this set for every request with no exceptions you can add the Application_BeginRequest to Global.asax:

protected void Application_BeginRequest() {     Response.AddHeader("X-Frame-Options", "DENY"); }