Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Mitigating framesniffing with the X-Frame-Options header
Article ID: 2694329 - View products that this article applies to.
Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack.
Administrators can mitigate framesniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.
The X-Frame-Options header
(http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx)can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
If you have other sites that need this configuration, repeat steps 2 through 6 for those sites also.
This change will prevent HTML pages on other domains from hosting your site in an IFRAME. For example, if the Contoso IT department applies this change to http://contoso.com, pages at http://fabrikam.com will no longer be able to display content from http://contoso.com in an IFRAME.
You can modify the value of the X-Frame-Options header to allow http://fabrikam.com to frame http://contoso.com while blocking all other domains. To do this, change the value of the X-Frame-Options header in step 5 to ALLOW-FROM http://fabrikam.com.
For more information about the X-Frame-Options header, see this MSDN blog post
To revert the change, follow these steps: