Join +2,660 software developers getting weekly tips covering security, quality and system design.
Imagine you are building your amazing website... it has all the great features that make the users happy. They are using it and believe they are fully safe to make the most of it. But someday... You discover that your system is vulnerable to CLICKJACKING! - "Bartosz! What does it mean?!" - "Reader... Look below." Scary, right? The problem is that clickjacking is a real issue... Here is how it works:
You may ask, scared: - "Bartosz! How is this possible?!" The embedded website may be positioned absolutely in a way that when the user clicks on the proper place at that evil website, the real click happens on the embedded one (not the visible one), potentially executing some sensitive operation. It may be anything, from liking a post, or sending a message, or even sending money in a one-click checkout! Don't worry! There is an easy way to prevent this kind of "embedding" of your website from happening. You need to send proper HTTP headers while serving your website. The first way is to use the X-Frame-Options header. The value may be set to DENY or SAMEORIGIN. Look below. If you choose the value DENY, then no website will be allowed to embed your website. In the case of value SAMEORIGIN, only the pages served from the same origin will be allowed to embed it in frames or iframes. Practically speaking, pages from your domain (with the same port) could embed your website. The second option is to use the Content Security Policy with the frame-ancestor directive. You can deny embedding with 'none' or list allowed origins! Example below. That's all for this week! We are one step closer to building secure Web applications. Rate this email: Next week 👉 Next tip 💥 PS. If you want to chat, then just reply :) There are many interesting challenges to talk about. |
Join +2,660 software developers getting weekly tips covering security, quality and system design.