I'm developing a asp.net mvc website and want to implment some security features. One of them is to prevent the website from being injected in an iframe. I have read that it is possible to do that with x-frame-options which is a server side validation, but i have also read that it is required to implement client side validation with JS as well. Could anyone help me with that? Many thanks!!
Asked
Active
Viewed 622 times
0
-
First of all, in all security checks avoid client side. You could do client side, but in that case you should also implement server side, because by definition client side is end user controlled and can be bypassed. Client side is a simple javascript https://stackoverflow.com/questions/7027799/access-elements-of-parent-window-from-iframe – Cleptus Sep 13 '17 at 06:21
-
yes, as i mentioned above, i already considered server side, but need also client side. any way, i guess the answer below helps – Sep 13 '17 at 06:26
-
Looks promising, for the client sided part check the link in my previous comment – Cleptus Sep 13 '17 at 13:17
1 Answers
1
the client side validaton can be done using the busting JS. To implement the server side validation, you need (as you already mentioned) to set x-frame-options in IIS or in the application (Global asax file):
IIS:
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
Global asax:
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}
For more info about busting js, see this link: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
I have the same problem with old broswers, for example, mozilla 3.0
Hope this helps!
alaa_sayegh
- 2,141
- 4
- 21
- 37