Solved

X-Frame-Options SAMEORIGIN : impact & precaution when implementing on web servers

Posted on 2014-11-04
8
4,141 Views
Last Modified: 2014-11-06
refer to https://www.owasp.org/index.php/List_of_useful_HTTP_headers  :
Extracted from above:
" sameorigin - no rendering if origin mismatch "

Q1:
Other than the enhanced security, what's the impact of implementing this vs not implementing it?
Will it cause slowness / degraded performance or it's negligible?

Any apps (say Weblogic, Websphere, JBoss, .Net, Java) will break or need to be amended after the
changes indicated below (see the 3 web servers' changes below).

Q2:
Does it manifest in such a way that if the original web client's IP address differ from the returning
traffic's IP, then it will not load in the web page of the web browser ?


Summary of changes:

IIS:
==
 Amend in web.config (Q3: in which folder is this file found ? ) :
 <system.webServer>
   ...
   <httpProtocol>
     <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
     </customHeaders>
   </httpProtocol>
 

Apache
======
Amend in .htaccess   [Q4: in which directory is this file found? ]:
   Header always append X-Frame-Options SAMEORIGIN

 
Nginx
=====
Amend in http server or location config [ Q5: what's the exact file name & in which folder it's found? ]:
   add_header X-Frame-Options SAMEORIGIN
0
Comment
Question by:sunhux
  • 4
  • 4
8 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
it is more to deter clickjacking attack which is to ensure that your web content is not embedded into other sites via frame scheme. As mentioned, the "X-Frame-Options" can be used and this is added to either at
> page level - tedious as need to identify and add into that "many" pages individually which takes time
> site level - maybe more palatable as you owned it and enforce consistent protection as one site
> server level - sort of blanket protect btu may impact website running in same server (and not yours)

Q1. If there is web proxies fronting your website, they may be into those adding and stripping headers. Hence a web proxy can still possibly strip the X-Frame-Options header which the site loses its framing protection. performance wise, I doubt any different but definitely which extra checks by each intermediate hops, it can incur some latency but unlikely resource intensive ... good to baseline site though esp for those dynamic content driven ones.

.also legacy browser may not support the X-Frame-Options-Header, hence normally some will include a "frame-breaker" script in each page that should not be framed. this takes time again and subject to testing for various client browser compatibility support (can check out this online compatibility test @ http://erlend.oftedal.no/blog/tools/xframeoptions/)

Best Practices
- Send the content as an HTTP Header – the directive is ignored if specified in a META tag
- Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
- Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame


Q2. Not IP based instead it is domain URL based. Some example to note,  
 
if a page specifies SAMEORIGIN, browsers will forbid framing only if the top-level origin FQDN (fully-qualified-domain-name, aka what you see in the address bar) does not exactly match FQDN of the subframe page that demanded the SAMEORIGIN restriction. Your critical pages should specify DENY if your site has a page that permits hosting of arbitrary frames.

if http://shop.example.com/confirm.asp contains the X-FRAME-OPTIONS directive with the value Allow-From https://partner.affiliate.com, then the page may be framed only by pages from the https://partner.affiliate.com origin.

if you were to specify the SAMEORIGIN directive on your victimsite.com/confirm.asp response, it would be vulnerable to ClickJacking by Attacker.com. This is if your site has a page like: http://victimSite.com/FrameIt.asp?embedframe=//attacker.com/eviloverlay, where your page embeds a frame pointed at the URL specified in the query string.

Q3. For IIS, pls see http://www.iis.net/configreference/system.webserver/httpprotocol/customheaders
Q4. For Apache, pls see http://www.commanigy.com/blog/2011/06/08/finding-apache-configuration-file-httpd-conf-location
Q5. For Nginx, pls see http://chandank.com/webservers/nginx/add-x-frame-options-nginx
0
 

Author Comment

by:sunhux
Comment Utility
> legacy browser may not support the X-Frame-Options-Header
So IE, Firefox & Chrome should be able to support it, right?
Unless the browsers version are too old?

With this X-Frame_Options-Header set, does the clients' web clients
ie web browsers need to do any setting so that they are not affected?
Do elaborate if there's specific settings needed on the browsers, eg:
  Pop-ups blocker
  ActiveX filtering
  Security at Medium-High still works ?
  Advanced options ...
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
You can test out the browser using below as mentioned and there is a list as well in the site. Newer one should already support that .. legacy one is like for those using IE6 and Firefox 2.0
http://erlend.oftedal.no/blog/tools/xframeoptions/

From mozilla developer site, it stated also the various browser compatibility - can check that too
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options#Browser_compatibility

As for setting, it should be transparent as it is native in the supported browser to recognise this header, eventually they will just render a page in a <frame>, <iframe> or <object> as long as this in the page ..
0
 

Author Comment

by:sunhux
Comment Utility
Last 2 questions:

In this option supported in Oracle Web server?  

any specific handling at the app servers (in particular Weblogic, Websphere,
Glassfish, .Net Framework) end if the web servers have this option set?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:sunhux
Comment Utility
Is Oracle Web server a variant of Apache ?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
Oracle HTTP server is based on Apache HTTP server
http://docs.oracle.com/middleware/1212/webtier/HSADM/intro_ohs.htm#i1008837

sidetrack - but note some faq below

B.4 Can I Apply Apache HTTP Server Security Patches to Oracle HTTP Server?
No, you cannot apply the Apache HTTP Server security patches to Oracle HTTP Server...

B.5 Can I Upgrade the Apache HTTP Server Version of Oracle HTTP Server?
No, you cannot upgrade only the Apache HTTP Server version inside Oracle HTTP Server. Oracle provides a newer version of Apache HTTP Server that Oracle HTTP Server is based on, which is part of either a patch update or the next major or minor release of Oracle Fusion Middleware.
0
 

Author Comment

by:sunhux
Comment Utility
Gee btan, your responses always impress
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
thanks!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Join & Write a Comment

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now