search

emAmazed / redlamp

Bloggie Bloggie
MIT License
0 stars 1 forks source link

How to detect and prevent site clickJacking #26

Open emAmazed opened 8 years ago

emAmazed commented 8 years ago

To detect if the site is vulnerable to clickJacking, create a file with iframe site component:

<html>
  <body>
    <iframe src="https://your-test-site"></iframe>
  </body>
</html>

There are several ways to prevent the site vulnerable to clickJacking:

Remove iframe

<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
    if (self === top) {
      var antiClickjack = document.getElementById("antiClickjack");
      antiClickjack.parentNode.removeChild(antiClickjack);
    } else {
      top.location = self.location;
    }
</script>

Using X-Frame-Options

- Config Apache
Header always append X-Frame-Options SAMEORIGIN
- Config nginx
add_header X-Frame-Options SAMEORIGIN;

- Define in the application header
 * The document will be rendered (shown) in a frame only if the frame and it's 
parent have the same origin.
<meta http-equiv="X-Frame-Options" content="sameorigin"/>
or @header('X-Frame-Options: sameorigin');

 * The document may not be rendered inside of a frame
<meta http-equiv="X-Frame-Options" content="deny"/>

* Set to "Allow-From uri" The page can only be displayed in a frame on the 
specified origin.