Mitigating framesniffing with the X-Frame-Options header

Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack.

Administrators can mitigate framesniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  3. Double-click the HTTP Response Headers icon in the feature list in the middle.
  4. In the Actions pane on the right side, click Add.
  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  6. Click OK to save your changes.

If you have other sites that need this configuration, repeat steps 2 through 6 for those sites also.

This change will prevent HTML pages on other domains from hosting your site in an IFRAME. For example, if the Contoso IT department applies this change to, pages at will no longer be able to display content from in an IFRAME.

You can modify the value of the X-Frame-Options header to allow to frame while blocking all other domains. To do this, change the value of the X-Frame-Options header in step 5 to ALLOW-FROM

For more information about the X-Frame-Options header, see this MSDN blog post.

To revert the change, follow these steps:
  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder, and select the site where you made this change.
  3. In the feature list in the middle, double-click the HTTP Response Headers icon.
  4. In the list of headers that appears, select X-Frame-Options.
  5. Click Remove in the Actions pane on the right side.

security, framesniffing, x-frame-options

Article ID: 2694329 - Last Review: 03/24/2012 20:31:00 - Revision: 1.0

Microsoft Office SharePoint Server 2007, Microsoft SharePoint Foundation 2010, Microsoft SharePoint Server 2010, Microsoft Windows SharePoint Services 3.0

  • KB2694329