Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

X-Frame-Options SAMEORIGIN : impact & precaution when implementing on web servers

Posted on 2014-11-04
8
Medium Priority
?
5,375 Views
Last Modified: 2014-11-06
refer to https://www.owasp.org/index.php/List_of_useful_HTTP_headers  :
Extracted from above:
" sameorigin - no rendering if origin mismatch "

Q1:
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?

Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).

Q2:
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?


Summary of changes:

IIS:
==
 Amend in web.config (Q3: in which folder is this file found ? ) :
 <system.webServer>
   ...
   <httpProtocol>
     <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
     </customHeaders>
   </httpProtocol>
 

Apache
======
Amend in .htaccess   [Q4: in which directory is this file found? ]:
   Header always append X-Frame-Options SAMEORIGIN

 
Nginx
=====
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
   add_header X-Frame-Options SAMEORIGIN
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40425341
it is more to deter clickjacking attack which is to ensure that your web content is not embedded into other sites via frame scheme. As mentioned, the "X-Frame-Options" can be used and this is added to either at
> page level - tedious as need to identify and add into that "many" pages individually which takes time
> site level - maybe more palatable as you owned it and enforce consistent protection as one site
> server level - sort of blanket protect btu may impact website running in same server (and not yours)

Q1. If there is web proxies fronting your website, they may be into those adding and stripping headers. Hence a web proxy can still possibly strip the X-Frame-Options header which the site loses its framing protection. performance wise, I doubt any different but definitely which extra checks by each intermediate hops, it can incur some latency but unlikely resource intensive ... good to baseline site though esp for those dynamic content driven ones.

.also legacy browser may not support the X-Frame-Options-Header, hence normally some will include a "frame-breaker" script in each page that should not be framed. this takes time again and subject to testing for various client browser compatibility support (can check out this online compatibility test @ http://erlend.oftedal.no/blog/tools/xframeoptions/)

Best Practices
- Send the content as an HTTP Header – the directive is ignored if specified in a META tag
- Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
- Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame


Q2. Not IP based instead it is domain URL based. Some example to note,  
 
if a page specifies SAMEORIGIN, browsers will forbid framing only if the top-level origin FQDN (fully-qualified-domain-name, aka what you see in the address bar) does not exactly match FQDN of the subframe page that demanded the SAMEORIGIN restriction. Your critical pages should specify DENY if your site has a page that permits hosting of arbitrary frames.

if http://shop.example.com/confirm.asp contains the X-FRAME-OPTIONS directive with the value Allow-From https://partner.affiliate.com, then the page may be framed only by pages from the https://partner.affiliate.com origin.

if you were to specify the SAMEORIGIN directive on your victimsite.com/confirm.asp response, it would be vulnerable to ClickJacking by Attacker.com. This is if your site has a page like: http://victimSite.com/FrameIt.asp?embedframe=//attacker.com/eviloverlay, where your page embeds a frame pointed at the URL specified in the query string.

Q3. For IIS, pls see http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
Q4. For Apache, pls see http://www.commanigy.com/blog/2011/06/08/finding-apache-configuration-file-httpd-conf-location
Q5. For Nginx, pls see http://chandank.com/webservers/nginx/add-x-frame-options-nginx
0
 

Author Comment

by:sunhux
ID: 40425402
> legacy browser may not support the X-Frame-Options-Header
So IE, Firefox & Chrome should be able to support it, right?
Unless the browsers version are too old?

With this X-Frame_Options-Header set, does the clients' web clients
ie web browsers need to do any setting so that they are not affected?
Do elaborate if there's specific settings needed on the browsers, eg:
  Pop-ups blocker
  ActiveX filtering
  Security at Medium-High still works ?
  Advanced options ...
0
 
LVL 64

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40425486
You can test out the browser using below as mentioned and there is a list as well in the site. Newer one should already support that .. legacy one is like for those using IE6 and Firefox 2.0
http://erlend.oftedal.no/blog/tools/xframeoptions/

From mozilla developer site, it stated also the various browser compatibility - can check that too
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility

As for setting, it should be transparent as it is native in the supported browser to recognise this header, eventually they will just render a page in a <frame>, <iframe> or <object> as long as this in the page ..
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:sunhux
ID: 40425642
Last 2 questions:

In this option supported in Oracle Web server?  

any specific handling at the app servers (in particular Weblogic, Websphere,
Glassfish, .Net Framework) end if the web servers have this option set?
0
 

Author Comment

by:sunhux
ID: 40425646
Is Oracle Web server a variant of Apache ?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40425690
Oracle HTTP server is based on Apache HTTP server
http://docs.oracle.com/middleware/1212/webtier/HSADM/intro_ohs.htm#i1008837

sidetrack - but note some faq below

B.4 Can I Apply Apache HTTP Server Security Patches to Oracle HTTP Server?
No, you cannot apply the Apache HTTP Server security patches to Oracle HTTP Server...

B.5 Can I Upgrade the Apache HTTP Server Version of Oracle HTTP Server?
No, you cannot upgrade only the Apache HTTP Server version inside Oracle HTTP Server. Oracle provides a newer version of Apache HTTP Server that Oracle HTTP Server is based on, which is part of either a patch update or the next major or minor release of Oracle Fusion Middleware.
0
 

Author Comment

by:sunhux
ID: 40427827
Gee btan, your responses always impress
0
 
LVL 64

Expert Comment

by:btan
ID: 40427839
thanks!
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question