The Problem Statement There is an issue that an malicious attacker can inject iframes within the app so that the iframe can have a source to an external application that is outside of the parent app's domain. Sample Lets consider the app to be hosted at https://app.com/. The attacker could inject an iframe that will contain a source to https://malicious.com/ In this case, we have to prevent any iFrames injected in our app that can point to a domain that is different from ours. To fix this issue, add the following header in the response for each request Solution X-Frame-Options : SAMEORIGIN Web.config Solution <system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> </system.webServer> Global.asax solution protected void Application_Start () { AntiForgeryConfig . SuppressXFrameOptionsHeader = true ; }
I have 11+ years of experience in Software development. I am proud to be in the top 5 Multi-Tenancy answerers @ Stackoverflow. I have worked with C#, Java, MySQL, SQL Server, Multi-tenancy, AWS, Azure, Terraforms, Java with Spring boot and Python, groovy, bat scripts