Original: https: //beenle-xiaojie.github.io/2019/01/07/ClickJacking/
Introduction When our page embedded in an iframe, security testing proposed to me a very fresh vocabulary - clickjacking, can pose a security risk. 1. What is clickjacking? Click hijacking (ClickJacking) is a visual deception. Are roughly two ways, first, the attacker uses a transparent iframe, overlaid on a page, then convince a user to operate on the page, then the user will click transparent iframe page unknowingly; two is covered by an attacker using a picture on the page, the page of the original blocking position meaning; simply put, is the user clicks a button, but the operation did not receive a normal expected event, but triggers other unwanted operation ... 2. solution X-Frame-Options response header configuration to avoid clickjacking attack principle: X-Frame-Options HTTP response header is used to instruct the browser to allow the possibility of a page in the < Frame > , < iframes. > or < Object > in show mark. Web site can use this feature to ensure that the content of your site is not embedded into other people's websites go, so as to avoid clickjacking (clickjacking) attacks. X-Frame-Options There are three configurable value (attribute value is not case sensitive) . 1 2 . 3 X-Frame-Options: DENY Frame-Options-the X-: SAMEORIGIN the X-Frame-Options-: ALLOW-the FROM command if the specified DENY, when loaded from other sites, not only failed attempts to load the page in a frame, try to do so will fail when loading from the same site. On the other hand, if you specify SAMEORIGIN, as long as the site is included in the framework of the same site as the page served, you can still use this page in the frame. DENY attempt to do so regardless of the site, the page can not be displayed in the frame. SAMEORIGIN This page can only be displayed on the page itself same source frame. ALLOW-FROM_ uri_ page only appear in designated origin frame. The current project is deployed on the nginx, nginx it to be an example to the configuration, in addition to this you can also configure Apache, IIS, etc. Configuration: . # 1 is written at the /opt/nginx/conf.d/example.conf Nginx 1 2 . 3 the add_header-X-Frame-the Options "from the allow-https://example.com/"; to be directly write domain add_header-the X-Frame-Options "from the allow-example.com/"; # 2 stepped pit. found in chrome will error, the error message is as follows: 1 Invalid 'X-Frame-Options' header encountered when loading 'example.com:8081/app.html':.. 'Allow-from example.com/' is not a recognized directive The header will be ignored after investigation is found in Chrome and Safari to use Content-security-Policy parameter # 3 set Content-security-Policy with. 1 add_header Content-security-Policy "Frame-Ancestors example.com"; 3. reference links web safe place - clickjacking attack and defense technical Overview principles ClickJacking vulnerability 4. knowledge point anti-hotlinking attack