How can we prevent a clickjacking attack using iframes etc. in .Net MVC core application?
Asked
Active
Viewed 1,129 times
-1
-
Possible duplicate of [How to avoid clickjacking in HTML and Javascript](https://security.stackexchange.com/questions/157221/how-to-avoid-clickjacking-in-html-and-javascript) – Xander Jul 17 '17 at 14:21
-
Not sure why this has been flagged as too broad. A long answer required, yes, because there is no research at all shown in the question, but definitely answerable. – SilverlightFox Jul 17 '17 at 21:38
2 Answers
3
If your application is hosted with IIS you can activate the X-Frame-Options header in web.config.
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
Other ways for using X-Frame-Options are described here.
A more modern approach would be using the Content Security Policy.
Content-Security-Policy: frame-ancestors 'none';
For older browsers which don't understand these headers you could also use a framekiller script, but this is outdated and not always completely secure.
floworbit
- 316
- 1
- 11
-
`frame-src` is incorrect, that only restricts which sources are available to an IFrame or Frameset. [`frame-ancestors`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) is the one to use. – SilverlightFox Jul 17 '17 at 08:46
-
2
One way is adding the HTTP headers in to your response as decribed in other answer. This is common to any Web application and following are the options you can use.
- DENY :
- SAMEORIGIN : Allow only to your domain
- ALLOW-FROM : You can specify any domain to allow
Since you have asked about .Net Core specifically , following is the way you can implement security in your middleware.
app.UseXfo(o=>o.Deny());
You can use any option in your middle ware this way in your code.
user3496510
- 1,257
- 2
- 12
- 26