[Owasp-leaders] Clickjacking Defense

Tobias tobias.gondrom at owasp.org
Mon Sep 3 17:23:27 UTC 2012


Hi Jim,
fully agree. Sounds like the right approach.
Cheers, Tobias


On 04/09/12 00:58, Jim Manico wrote:
> I want to write a Cheat-sheet on Clickjacking defense.
>
> I was thinking of just discussing the different framing blocking 
> headers....
>
> // to prevent all framing of this content ?
> response.addHeader( "X-FRAME-OPTIONS", "DENY" );
>
> // to allow framing of this content only by this site
> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
>
> // to allow framing from a specific domain
> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" );
>
> ...and call it a day. I do not want to recommend manual framebreaking 
> JavaScript, it's completely ineffective and is easily evaded.
>
> What do you think, any thoughts on this topic?
>
> Cheers folks,
>
> Jim Manico
> OWASP Volunteer
> (808) 652-3805
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120904/9da8656c/attachment.html>


More information about the OWASP-Leaders mailing list