Solved

X-Frame-Options SAMEORIGIN : impact & precaution when implementing on web servers

Posted on 2014-11-04
8
4,314 Views
Last Modified: 2014-11-06
refer to https://www.owasp.org/index.php/List_of_useful_HTTP_headers  :
Extracted from above:
" sameorigin - no rendering if origin mismatch "

Q1:
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?

Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).

Q2:
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?


Summary of changes:

IIS:
==
 Amend in web.config (Q3: in which folder is this file found ? ) :
 <system.webServer>
   ...
   <httpProtocol>
     <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
     </customHeaders>
   </httpProtocol>
 

Apache
======
Amend in .htaccess   [Q4: in which directory is this file found? ]:
   Header always append X-Frame-Options SAMEORIGIN

 
Nginx
=====
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
   add_header X-Frame-Options SAMEORIGIN
0
Comment
Question by:sunhux
  • 4
  • 4
8 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40425341
it is more to deter clickjacking attack which is to ensure that your web content is not embedded into other sites via frame scheme. As mentioned, the "X-Frame-Options" can be used and this is added to either at
> page level - tedious as need to identify and add into that "many" pages individually which takes time
> site level - maybe more palatable as you owned it and enforce consistent protection as one site
> server level - sort of blanket protect btu may impact website running in same server (and not yours)

Q1. If there is web proxies fronting your website, they may be into those adding and stripping headers. Hence a web proxy can still possibly strip the X-Frame-Options header which the site loses its framing protection. performance wise, I doubt any different but definitely which extra checks by each intermediate hops, it can incur some latency but unlikely resource intensive ... good to baseline site though esp for those dynamic content driven ones.

.also legacy browser may not support the X-Frame-Options-Header, hence normally some will include a "frame-breaker" script in each page that should not be framed. this takes time again and subject to testing for various client browser compatibility support (can check out this online compatibility test @ http://erlend.oftedal.no/blog/tools/xframeoptions/)

Best Practices
- Send the content as an HTTP Header – the directive is ignored if specified in a META tag
- Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
- Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame


Q2. Not IP based instead it is domain URL based. Some example to note,  
 
if a page specifies SAMEORIGIN, browsers will forbid framing only if the top-level origin FQDN (fully-qualified-domain-name, aka what you see in the address bar) does not exactly match FQDN of the subframe page that demanded the SAMEORIGIN restriction. Your critical pages should specify DENY if your site has a page that permits hosting of arbitrary frames.

if http://shop.example.com/confirm.asp contains the X-FRAME-OPTIONS directive with the value Allow-From https://partner.affiliate.com, then the page may be framed only by pages from the https://partner.affiliate.com origin.

if you were to specify the SAMEORIGIN directive on your victimsite.com/confirm.asp response, it would be vulnerable to ClickJacking by Attacker.com. This is if your site has a page like: http://victimSite.com/FrameIt.asp?embedframe=//attacker.com/eviloverlay, where your page embeds a frame pointed at the URL specified in the query string.

Q3. For IIS, pls see http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
Q4. For Apache, pls see http://www.commanigy.com/blog/2011/06/08/finding-apache-configuration-file-httpd-conf-location
Q5. For Nginx, pls see http://chandank.com/webservers/nginx/add-x-frame-options-nginx
0
 

Author Comment

by:sunhux
ID: 40425402
> legacy browser may not support the X-Frame-Options-Header
So IE, Firefox & Chrome should be able to support it, right?
Unless the browsers version are too old?

With this X-Frame_Options-Header set, does the clients' web clients
ie web browsers need to do any setting so that they are not affected?
Do elaborate if there's specific settings needed on the browsers, eg:
  Pop-ups blocker
  ActiveX filtering
  Security at Medium-High still works ?
  Advanced options ...
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40425486
You can test out the browser using below as mentioned and there is a list as well in the site. Newer one should already support that .. legacy one is like for those using IE6 and Firefox 2.0
http://erlend.oftedal.no/blog/tools/xframeoptions/

From mozilla developer site, it stated also the various browser compatibility - can check that too
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility

As for setting, it should be transparent as it is native in the supported browser to recognise this header, eventually they will just render a page in a <frame>, <iframe> or <object> as long as this in the page ..
0
 

Author Comment

by:sunhux
ID: 40425642
Last 2 questions:

In this option supported in Oracle Web server?  

any specific handling at the app servers (in particular Weblogic, Websphere,
Glassfish, .Net Framework) end if the web servers have this option set?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:sunhux
ID: 40425646
Is Oracle Web server a variant of Apache ?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40425690
Oracle HTTP server is based on Apache HTTP server
http://docs.oracle.com/middleware/1212/webtier/HSADM/intro_ohs.htm#i1008837

sidetrack - but note some faq below

B.4 Can I Apply Apache HTTP Server Security Patches to Oracle HTTP Server?
No, you cannot apply the Apache HTTP Server security patches to Oracle HTTP Server...

B.5 Can I Upgrade the Apache HTTP Server Version of Oracle HTTP Server?
No, you cannot upgrade only the Apache HTTP Server version inside Oracle HTTP Server. Oracle provides a newer version of Apache HTTP Server that Oracle HTTP Server is based on, which is part of either a patch update or the next major or minor release of Oracle Fusion Middleware.
0
 

Author Comment

by:sunhux
ID: 40427827
Gee btan, your responses always impress
0
 
LVL 62

Expert Comment

by:btan
ID: 40427839
thanks!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now