sunhux
asked on
X-Frame-Options SAMEORIGIN : impact & precaution when implementing on web servers
refer to https://www.owasp.org/index.php/List_of_useful_HTTP_headers :
Extracted from above:
" sameorigin - no rendering if origin mismatch "
Q1:
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?
Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).
Q2:
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?
Summary of changes:
IIS:
==
Amend in web.config (Q3: in which folder is this file found ? ) :
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
Apache
======
Amend in .htaccess [Q4: in which directory is this file found? ]:
Header always append X-Frame-Options SAMEORIGIN
Nginx
=====
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
add_header X-Frame-Options SAMEORIGIN
Extracted from above:
" sameorigin - no rendering if origin mismatch "
Q1:
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?
Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).
Q2:
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?
Summary of changes:
IIS:
==
Amend in web.config (Q3: in which folder is this file found ? ) :
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
Apache
======
Amend in .htaccess [Q4: in which directory is this file found? ]:
Header always append X-Frame-Options SAMEORIGIN
Nginx
=====
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
add_header X-Frame-Options SAMEORIGIN
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Last 2 questions:
In this option supported in Oracle Web server?
any specific handling at the app servers (in particular Weblogic, Websphere,
Glassfish, .Net Framework) end if the web servers have this option set?
In this option supported in Oracle Web server?
any specific handling at the app servers (in particular Weblogic, Websphere,
Glassfish, .Net Framework) end if the web servers have this option set?
ASKER
Is Oracle Web server a variant of Apache ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gee btan, your responses always impress
thanks!
ASKER
So IE, Firefox & Chrome should be able to support it, right?
Unless the browsers version are too old?
With this X-Frame_Options-Header set, does the clients' web clients
ie web browsers need to do any setting so that they are not affected?
Do elaborate if there's specific settings needed on the browsers, eg:
Pop-ups blocker
ActiveX filtering
Security at Medium-High still works ?
Advanced options ...