The Problem Statement
There is an issue that an malicious attacker can inject iframes within the app so that the iframe can have a source to an external application that is outside of the parent app's domain.
Sample
Lets consider the app to be hosted at https://app.com/. The attacker could inject an iframe that will contain a source to https://malicious.com/
In this case, we have to prevent any iFrames injected in our app that can point to a domain that is different from ours. To fix this issue, add the following header in the response for each request
Solution
X-Frame-Options : SAMEORIGIN
Web.config Solution
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
Global.asax solution
protected void Application_Start()
{
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
Comments
Post a Comment