Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

X-Frame-Options SAMEORIGIN : impact & precaution when implementing on web servers

Posted on 2014-11-04
8
Medium Priority
?
5,587 Views
Last Modified: 2014-11-06
refer to https://www.owasp.org/index.php/List_of_useful_HTTP_headers  :
Extracted from above:
" sameorigin - no rendering if origin mismatch "

Q1:
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?

Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).

Q2:
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?


Summary of changes:

IIS:
==
 Amend in web.config (Q3: in which folder is this file found ? ) :
 <system.webServer>
   ...
   <httpProtocol>
     <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
     </customHeaders>
   </httpProtocol>
 

Apache
======
Amend in .htaccess   [Q4: in which directory is this file found? ]:
   Header always append X-Frame-Options SAMEORIGIN

 
Nginx
=====
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
   add_header X-Frame-Options SAMEORIGIN
0
Comment
Question by:sunhux
  • 4
  • 4
8 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40425341
it is more to deter clickjacking attack which is to ensure that your web content is not embedded into other sites via frame scheme. As mentioned, the "X-Frame-Options" can be used and this is added to either at
> page level - tedious as need to identify and add into that "many" pages individually which takes time
> site level - maybe more palatable as you owned it and enforce consistent protection as one site
> server level - sort of blanket protect btu may impact website running in same server (and not yours)

Q1. If there is web proxies fronting your website, they may be into those adding and stripping headers. Hence a web proxy can still possibly strip the X-Frame-Options header which the site loses its framing protection. performance wise, I doubt any different but definitely which extra checks by each intermediate hops, it can incur some latency but unlikely resource intensive ... good to baseline site though esp for those dynamic content driven ones.

.also legacy browser may not support the X-Frame-Options-Header, hence normally some will include a "frame-breaker" script in each page that should not be framed. this takes time again and subject to testing for various client browser compatibility support (can check out this online compatibility test @ http://erlend.oftedal.no/blog/tools/xframeoptions/)

Best Practices
- Send the content as an HTTP Header – the directive is ignored if specified in a META tag
- Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
- Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame


Q2. Not IP based instead it is domain URL based. Some example to note,  
 
if a page specifies SAMEORIGIN, browsers will forbid framing only if the top-level origin FQDN (fully-qualified-domain-name, aka what you see in the address bar) does not exactly match FQDN of the subframe page that demanded the SAMEORIGIN restriction. Your critical pages should specify DENY if your site has a page that permits hosting of arbitrary frames.

if http://shop.example.com/confirm.asp contains the X-FRAME-OPTIONS directive with the value Allow-From https://partner.affiliate.com, then the page may be framed only by pages from the https://partner.affiliate.com origin.

if you were to specify the SAMEORIGIN directive on your victimsite.com/confirm.asp response, it would be vulnerable to ClickJacking by Attacker.com. This is if your site has a page like: http://victimSite.com/FrameIt.asp?embedframe=//attacker.com/eviloverlay, where your page embeds a frame pointed at the URL specified in the query string.

Q3. For IIS, pls see http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
Q4. For Apache, pls see http://www.commanigy.com/blog/2011/06/08/finding-apache-configuration-file-httpd-conf-location
Q5. For Nginx, pls see http://chandank.com/webservers/nginx/add-x-frame-options-nginx
0
 

Author Comment

by:sunhux
ID: 40425402
> legacy browser may not support the X-Frame-Options-Header
So IE, Firefox & Chrome should be able to support it, right?
Unless the browsers version are too old?

With this X-Frame_Options-Header set, does the clients' web clients
ie web browsers need to do any setting so that they are not affected?
Do elaborate if there's specific settings needed on the browsers, eg:
  Pop-ups blocker
  ActiveX filtering
  Security at Medium-High still works ?
  Advanced options ...
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40425486
You can test out the browser using below as mentioned and there is a list as well in the site. Newer one should already support that .. legacy one is like for those using IE6 and Firefox 2.0
http://erlend.oftedal.no/blog/tools/xframeoptions/

From mozilla developer site, it stated also the various browser compatibility - can check that too
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility

As for setting, it should be transparent as it is native in the supported browser to recognise this header, eventually they will just render a page in a <frame>, <iframe> or <object> as long as this in the page ..
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:sunhux
ID: 40425642
Last 2 questions:

In this option supported in Oracle Web server?  

any specific handling at the app servers (in particular Weblogic, Websphere,
Glassfish, .Net Framework) end if the web servers have this option set?
0
 

Author Comment

by:sunhux
ID: 40425646
Is Oracle Web server a variant of Apache ?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 40425690
Oracle HTTP server is based on Apache HTTP server
http://docs.oracle.com/middleware/1212/webtier/HSADM/intro_ohs.htm#i1008837

sidetrack - but note some faq below

B.4 Can I Apply Apache HTTP Server Security Patches to Oracle HTTP Server?
No, you cannot apply the Apache HTTP Server security patches to Oracle HTTP Server...

B.5 Can I Upgrade the Apache HTTP Server Version of Oracle HTTP Server?
No, you cannot upgrade only the Apache HTTP Server version inside Oracle HTTP Server. Oracle provides a newer version of Apache HTTP Server that Oracle HTTP Server is based on, which is part of either a patch update or the next major or minor release of Oracle Fusion Middleware.
0
 

Author Comment

by:sunhux
ID: 40427827
Gee btan, your responses always impress
0
 
LVL 65

Expert Comment

by:btan
ID: 40427839
thanks!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question