refer to https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Extracted from above:
" sameorigin - no rendering if origin mismatch "
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?
Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?
Summary of changes:
Amend in web.config (Q3: in which folder is this file found ? ) :
<add name="X-Frame-Options" value="SAMEORIGIN" />
Amend in .htaccess [Q4: in which directory is this file found? ]:
Header always append X-Frame-Options SAMEORIGIN
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
add_header X-Frame-Options SAMEORIGIN