Ensure Browser Framing Is Restricted

It has long been a popular attack strategy to target web clients by embedding malicious code with legitimate web content in iframes and standard web frames. This can occur when the attacker attracts the victim to a malicious website by exploiting frames to integrate the desired content from the legitimate website. The malicious material can also be added to the legal website via XSS (either reflected, DOM, or stored XSS). With the introduction of the X-Frame-Options HTTP Response header, a server is now able to specify whether a web page may be loaded in any frame (DENY) or just those frames that share the page’s origin to combat this vector (SAMEORIGIN).

To counter this mode of attack we add a server response header to tell the browsers to restrict web pages from being framed by other websites.

Solution

For websites (front end apps), add the following to your webservers configuration file

Header set X-Frame-Options "DENY"

add_header X-Frame-Options SAMEORIGIN always;

<system.webServer>
  …

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>

  …
</system.webServer>

http-response set-header X-Frame-Options SAMEORIGIN

const helmet = require("helmet");
const app = express();
app.use(helmet.frameguard({ action: "SAMEORIGIN" }));