Clickjacking Cheat Sheet
DRAFT CHEAT SHEET - WORK IN PROGRESS
This article is focused on providing developer guidance on Clickjack/UI Redress attack prevention. For more information on the risk of Clickjacking, please visit this page.
Defending with response headers
Thew X-FRAME-OPTIONS header is used to mark responses that should not be framed. There are three options with X-FRAME-OPTIONS.
- The first is DENY, which prevents everyone from framing the content.
- The second option is SAMEORIGIN, which only allows the current site to frame the content.
- The third, is the ALLOW-FROM 'sitename' header, which permits the specified 'sitename' to frame this page. (e.g., ALLOW-FROM http://www.foo.com) The ALLOW-FROM option is a relatively recent addition (circa 2012) and may not be supported by all browsers yet.
X-FRAME-OPTIONS has seen good adoption by major browsers, unfortunately studies have shown the header is not yet widely deployed by sites.
To implement this protection, you need to add the header to any page that you want to protect from being clickjacked. One way to do this is to add the header manually to every page. A possibly simpler way is to implement a filter that automatically adds the header to every page.
- OWASP has an article and some code that provides all the details for implementing this in the Java EE environment.
- The SDL blog has posted an article covering how to implement this in a .NET environment.
- In 2009, Microsoft implemented a header based defense in IE8 that allows developers to specify that pages should not be framed.
OWASP Cheat Sheets Project Homepage
Developer Cheat Sheets (Builder)
- Authentication Cheat Sheet
- Choosing and Using Security Questions Cheat Sheet
- Clickjacking Defense Cheat Sheet
- C-Based Toolchain Hardening Cheat Sheet
- Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
- Cryptographic Storage Cheat Sheet
- DOM based XSS Prevention Cheat Sheet
- Forgot Password Cheat Sheet
- HTML5 Security Cheat Sheet
- Input Validation Cheat Sheet
- JAAS Cheat Sheet
- Logging Cheat Sheet
- .NET Security Cheat Sheet
- OWASP Top Ten Cheat Sheet
- Password Storage Cheat Sheet
- Pinning Cheat Sheet
- Query Parameterization Cheat Sheet
- Ruby on Rails Cheatsheet
- REST Security Cheat Sheet
- Session Management Cheat Sheet
- SQL Injection Prevention Cheat Sheet
- Transport Layer Protection Cheat Sheet
- Unvalidated Redirects and Forwards Cheat Sheet
- User Privacy Protection Cheat Sheet
- Web Service Security Cheat Sheet
- XSS (Cross Site Scripting) Prevention Cheat Sheet
Assessment Cheat Sheets (Breaker)
Mobile Cheat Sheets
OpSec Cheat Sheets (Defender)
Draft Cheat Sheets
- Access Control Cheat Sheet
- Application Security Architecture Cheat Sheet
- Business Logic Security Cheat Sheet
- PHP Security Cheat Sheet
- Secure Coding Cheat Sheet
- Secure SDLC Cheat Sheet
- Threat Modeling Cheat Sheet
- Web Application Security Testing Cheat Sheet
- Grails Secure Code Review Cheat Sheet
- IOS Application Security Testing Cheat Sheet
- Key Management Cheat Sheet
- Insecure Direct Object Reference Prevention Cheat Sheet
- Content Security Policy Cheat Sheet