X-Frame-Options SAMEORIGIN : impact & precaution when implementing on web servers

refer to https://www.owasp.org/index.php/List_of_useful_HTTP_headers  :
Extracted from above:
" sameorigin - no rendering if origin mismatch "

Q1:
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?

Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).

Q2:
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?


Summary of changes:

IIS:
==
 Amend in web.config (Q3: in which folder is this file found ? ) :
 <system.webServer>
   ...
   <httpProtocol>
     <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
     </customHeaders>
   </httpProtocol>
 

Apache
======
Amend in .htaccess   [Q4: in which directory is this file found? ]:
   Header always append X-Frame-Options SAMEORIGIN

 
Nginx
=====
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
   add_header X-Frame-Options SAMEORIGIN
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
it is more to deter clickjacking attack which is to ensure that your web content is not embedded into other sites via frame scheme. As mentioned, the "X-Frame-Options" can be used and this is added to either at
> page level - tedious as need to identify and add into that "many" pages individually which takes time
> site level - maybe more palatable as you owned it and enforce consistent protection as one site
> server level - sort of blanket protect btu may impact website running in same server (and not yours)

Q1. If there is web proxies fronting your website, they may be into those adding and stripping headers. Hence a web proxy can still possibly strip the X-Frame-Options header which the site loses its framing protection. performance wise, I doubt any different but definitely which extra checks by each intermediate hops, it can incur some latency but unlikely resource intensive ... good to baseline site though esp for those dynamic content driven ones.

.also legacy browser may not support the X-Frame-Options-Header, hence normally some will include a "frame-breaker" script in each page that should not be framed. this takes time again and subject to testing for various client browser compatibility support (can check out this online compatibility test @ http://erlend.oftedal.no/blog/tools/xframeoptions/)

Best Practices
- Send the content as an HTTP Header – the directive is ignored if specified in a META tag
- Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
- Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame


Q2. Not IP based instead it is domain URL based. Some example to note,  
 
if a page specifies SAMEORIGIN, browsers will forbid framing only if the top-level origin FQDN (fully-qualified-domain-name, aka what you see in the address bar) does not exactly match FQDN of the subframe page that demanded the SAMEORIGIN restriction. Your critical pages should specify DENY if your site has a page that permits hosting of arbitrary frames.

if http://shop.example.com/confirm.asp contains the X-FRAME-OPTIONS directive with the value Allow-From https://partner.affiliate.com, then the page may be framed only by pages from the https://partner.affiliate.com origin.

if you were to specify the SAMEORIGIN directive on your victimsite.com/confirm.asp response, it would be vulnerable to ClickJacking by Attacker.com. This is if your site has a page like: http://victimSite.com/FrameIt.asp?embedframe=//attacker.com/eviloverlay, where your page embeds a frame pointed at the URL specified in the query string.

Q3. For IIS, pls see http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
Q4. For Apache, pls see http://www.commanigy.com/blog/2011/06/08/finding-apache-configuration-file-httpd-conf-location
Q5. For Nginx, pls see http://chandank.com/webservers/nginx/add-x-frame-options-nginx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
> legacy browser may not support the X-Frame-Options-Header
So IE, Firefox & Chrome should be able to support it, right?
Unless the browsers version are too old?

With this X-Frame_Options-Header set, does the clients' web clients
ie web browsers need to do any setting so that they are not affected?
Do elaborate if there's specific settings needed on the browsers, eg:
  Pop-ups blocker
  ActiveX filtering
  Security at Medium-High still works ?
  Advanced options ...
0
btanExec ConsultantCommented:
You can test out the browser using below as mentioned and there is a list as well in the site. Newer one should already support that .. legacy one is like for those using IE6 and Firefox 2.0
http://erlend.oftedal.no/blog/tools/xframeoptions/

From mozilla developer site, it stated also the various browser compatibility - can check that too
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility

As for setting, it should be transparent as it is native in the supported browser to recognise this header, eventually they will just render a page in a <frame>, <iframe> or <object> as long as this in the page ..
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

sunhuxAuthor Commented:
Last 2 questions:

In this option supported in Oracle Web server?  

any specific handling at the app servers (in particular Weblogic, Websphere,
Glassfish, .Net Framework) end if the web servers have this option set?
0
sunhuxAuthor Commented:
Is Oracle Web server a variant of Apache ?
0
btanExec ConsultantCommented:
Oracle HTTP server is based on Apache HTTP server
http://docs.oracle.com/middleware/1212/webtier/HSADM/intro_ohs.htm#i1008837

sidetrack - but note some faq below

B.4 Can I Apply Apache HTTP Server Security Patches to Oracle HTTP Server?
No, you cannot apply the Apache HTTP Server security patches to Oracle HTTP Server...

B.5 Can I Upgrade the Apache HTTP Server Version of Oracle HTTP Server?
No, you cannot upgrade only the Apache HTTP Server version inside Oracle HTTP Server. Oracle provides a newer version of Apache HTTP Server that Oracle HTTP Server is based on, which is part of either a patch update or the next major or minor release of Oracle Fusion Middleware.
0
sunhuxAuthor Commented:
Gee btan, your responses always impress
0
btanExec ConsultantCommented:
thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.