[Owasp-leaders] Clickjacking Defense

Eoin eoin.keary at owasp.org
Mon Sep 3 19:18:50 UTC 2012


The jscript stuff still makes it a little header. There are also some sorta effective solutions. Should you not include them?

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 3 Sep 2012, at 17:58, Jim Manico <jim.manico at owasp.org> wrote:

> I want to write a Cheat-sheet on Clickjacking defense.
> 
> I was thinking of just discussing the different framing blocking headers....
> 
> // to prevent all framing of this content 
> 
> response.addHeader( "X-FRAME-OPTIONS", "DENY" ); 
> 
> // to allow framing of this content only by this site 
> response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );
> 
> // to allow framing from a specific domain
> response.addHeader( "X-FRAME-OPTIONS", "ALLOW-FROM X" ); 
> 
> ...and call it a day. I do not want to recommend manual framebreaking JavaScript, it's completely ineffective and is easily evaded.
> 
> What do you think, any thoughts on this topic?
> 
> Cheers folks,
> 
> Jim Manico
> OWASP Volunteer
> (808) 652-3805
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list