[Owasp-leaders] Clickjacking Defense

Jim Manico jim.manico at owasp.org
Mon Sep 3 16:58:24 UTC 2012

I want to write a Cheat-sheet on Clickjacking defense.

I was thinking of just discussing the different framing blocking headers....

// to prevent all framing of this content ?
response.addHeader( "X-FRAME-OPTIONS", "DENY" );

// to allow framing of this content only by this site
response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

// to allow framing from a specific domain
response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );

...and call it a day. I do not want to recommend manual framebreaking 
JavaScript, it's completely ineffective and is easily evaded.

What do you think, any thoughts on this topic?

Cheers folks,

Jim Manico
OWASP Volunteer
(808) 652-3805

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120903/32018bd5/attachment.html>

More information about the OWASP-Leaders mailing list