首先我们来看一段关于框架劫持的安全说明。
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a<frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. Using X-Frame-Options There are three possible values for X-Frame-Options: DENY The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
文章里写到,在未设置相关的框架保护下,容易导致页面劫持,但是设置了框架的保护后并采用上述的三种保护方法中的任一种后,安全漏洞就得到了缓解,但是不同的平台有不同的方法。
Apache:
在配置文件中增加:
Header always append X-Frame-Options SAMEORIGIN
即可
Nginx:
同样在配置文件中增加:
add_header X-Frame-Options SAMEORIGIN
即可。
Tomcat:
这个比较特别,需要在页面里指定,当然也可以在web.xml里配,但是相当地复杂。
如在每个页面里增加:
response.addHeader( "X-Frame-Options", "SAMEORIGIN" )
xml的配置请看:https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE。
IIS:
增加配置:
<system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>
即可。
HAProxy:
增加:
rspadd X-Frame-Options:\ SAMEORIGIN
即可。
好了,请开始配置吧。
参考内容:
https://www.owasp.org/index.php/Clickjacking_Protection_for_Java_EE https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options http://stackoverflow.com/questions/6666423/overcoming-display-forbidden-by-x-frame-options