X-FRAME-OPTIONS web page hijacking vulnerability

Vulnerability description ：
Clickjacking （ClickJacking） It's a visual deception . Attacker uses a transparent iframe, Overlay on a web page , Then entice users to operate on the web , At this time, the user will click the transparent iframe page . Through adjustment iframe Page location , Can induce the user to just click on iframe On some functional buttons of the page .
HTTP In response header information X-Frame-Options, You can indicate whether the browser should load a iframe Pages in . If the server response header does not contain X-Frame-Options, Then the website exists ClickJacking Attack risk . Website can be set by X-Frame-Options Prevent pages within the site from being embedded by other pages to prevent click hijacking .
Solution ：
modify web Server configuration , add to X-Frame-Options Response head . There are three kinds of assignments ：
1、DENY： It can't be embedded in anything iframe perhaps frame in .
2、SAMEORIGIN： The page can only be embedded into iframe perhaps frame in
3、ALLOW-FROM uri： Can only be embedded in the framework of the specified domain name

apache Configurable http.conf as follows ：

Copy  
<IfModule headers_module>
      Header always append X-Frame-Options "DENY"
 </IfModule>
 

nginx To configure

nginx Pass respectively http and server Set up X-Frame-Options , Prevent websites from being used by others iframe Embedded use . It should be noted that , Just use one of these methods , stay http Configure code block or server Configure the settings in the code block .

• stay http Configuration settings X-Frame-Options