asked on Need help with X-Frame-Options response header configuration - IIS8
I am trying to fix a vulnerability found during a penetration scan. I need to correct the X-Frame-Options response header and set it to DENY so that the webpage is unable to be opened in a frame. I found this page:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
That says to add this to the <system.webServer> section.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
to my web.config file. It looked straightforward enough, so I found that section and added that to the web.config file and still getting the alert when I run the penetration test after the change was made.
I need to know if there is something else I need to do in order for this to be set correctly.
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
That says to add this to the <system.webServer> section.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
to my web.config file. It looked straightforward enough, so I found that section and added that to the web.config file and still getting the alert when I run the penetration test after the change was made.
I need to know if there is something else I need to do in order for this to be set correctly.
Web DevelopmentWeb FrameworksHTTP ProtocolMicrosoft IIS Web ServerWeb Browsers
Last Comment
ADJ-admin
ASKER
see above
ASKER
I also found this and the header is currently set to DENY, please advise:
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
Click OK to save your changes.
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
Click OK to save your changes.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I checked the values in the GUI following the instructions and it shows the value set to DENY. Not sure if this is working as the test I run (OWASP ZAP) is still showing that this is not set correctly. Would running the above script produce a different result?
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
The above information helped me achieve the desired response, that is, the form will not allow a frame to be called for the page(s) in question. My issue now is that OWASP still flags this as it is not working and I am trying to figure out why this is happening.