I found 3 websites that are iframing my website. At first I thought they just copied my theme and are scraping my content. But when I edit my homepage their homepage also changes too automatically.
How can I prevent them from iframing my website. They are using up my server resources and ranking on google also.
What I did so far. (to some extend hindered them from showing my website)
I enabled "Under Attack Mode" on cloudflare which is showing "Checking your browser" repeatedly (https://imgur.com/a/6TpyLyU).
Although there are some iframe buster scripts, you'll be better off adding the X-Frame-Options header to your responses:
X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/
When the browser see's these headers, it will stop from loading your website if it was requested from an iframe.
Update
After better explanation of the problem, this problem can be solved by adding a javascript redirect.
if (window.top.location.href.indexOf("original-website.com") !== -1){
window.location.href = "http://original-website.com"
}
Related
How can I set X-Frame-Options in my PHP code so that it will be there in all the web pages from my server. Basically, I am trying to avoid iframe loading of my web app.
Use below in your php file which outputs response to client side.
header("X-Frame-Options: DENY");
DENY will fully block. You may try SAMEORIGIN option also.
header("X-Frame-Options: SAMEORIGIN");
If you are using apache web server, you can directly set in httpd.conf also.
<Directory />
...
Header always set X-Frame-Options "SAMEORIGIN"
</Directory>
The X-Frame-Options prevents your site content embedded into other sites. Browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.
There are three options available to set with X-Frame-Options:
‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
‘DENY – This will not allow any website to embed your site pages in an iframe.
We have two way to Setup X-Frame-Options
1. with Apache Configuration
2. with .htaccess
with Apache configuration:
Debian based systems: /etc/apache2/conf-enabled/security.conf
Redhat based systems: /etc/httpd/conf/httpd.conf
Header set X-Frame-Options: "SAMEORIGIN" #Allow for Same Origin (Default Action)
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" #Allow from specific origin
Header set X-Frame-Options: "DENY" #Deny to everyone
with .htaccess
Header append X-Frame-Options: "SAMEORIGIN"
I have configured my website on http2 but even after reading so many article i am unable to figure out few of its implementation.
I have removed common.css from header file of my website. and added the these lines to .htaccess file.
<IfModule http2_module>
#Check if there's a cookie saying the css has already been loaded:
SetEnvIf Cookie "cssloaded=1" cssloaded
#If no cookie, and it's an html file, then push the css file
#and set a session level cookie so next time it won't be pushed:
<filesMatch "\.([pP][hH][pP]?)">
Header add Link "</assets/css/common.css>;rel=preload;as=style" env=!cssloaded
Header add Set-Cookie "cssloaded=1; Path=/; Secure; HttpOnly" env=!cssloaded
</filesMatch>
</IfModule>
but My website is not loading common.css at all. it's breaking. My website is behind Apache server and website is fully build on codeIgniter.
I did add these to my common_head.php file too
<?php
header: header('Link: </assets/css/jquery-ui.css>; rel=preload; as=style,</assets/css/jquery.mCustomScrollbar.min.css>; rel=preload; as=style,</assets/css/slick.min.css>; rel=preload; as=style,</assets/css/slick-theme.min.css>; rel=preload; as=style,</assets/css/bootstrap.min.css>; rel=preload; as=style,</assets/css/common.css>; rel=preload; as=style,,</assets/css/jplayer.blue.monday.min.css>; rel=preload; as=style');
?>
Now i can see all the css file in inspect element and also can see initialtor Push/others but it is not applying on the page. Page is broken.
Apache server: 2.4.6
Please let me know where I am doing wrong?
That code looks familiar! Glad to know my blog post is proving useful :-)
I have removed common.css from header file of my website. and added the these lines to .htaccess file.
That’s where you went wrong. It needs to be referenced as normal in the HEAD and also pushed.
When the browser sees the common.css reference it will go to fetch it and see it’s already been pushed and just use the pushed resource.
Without reference the server will push it but the browser will just ignore it.
Note HTTP/2 Push is complicated and there’s lots of things like this where you can go wrong. See this post for more info: https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/. Many are saying that it’s not worth the gains to use it, and the gains are questionable anyway as you can easily over push and cause the page to load slower rather than faster.
I did not explicitly set anywhere in nginx the x-frame-options to sameorigin but nginx is blocking the html page rendered inside an iframe. Tried specifying the domain in the X-Frame-Options but no luck. Giving several errors in the console if that helps. I read through them and tried fixes but not working.
https://preview.codecanyon.net/item/product-name/product-id
It previews my HTML page in an iframe.
The problem is not about X-Frame-Options but Content-Security-Policy also. Codecanyon set an CSP header that prevent the other sites can frame in their site. Even you allow all sites in your XFO header, they can block your site display in their website with CSP header.
But they are a market, they have to open a way for developer to include an iframe in their preview page. Seems they're not implemented a way for developer provide frame-src in preview page. So Codecanyon's CSP header is in Report only mode. All things is running fine although a lot of error you see from Chrome Developer Console.
By the way, you implemented an syntax error CSP header: unexpected punctuation at the start.
If it helps, I later figured out that setting frame-ancestors to that specific domain allowed that domain to show the page in an iframe. You can do that in the nginx config file.
I am trying to make edits to my header, so I can add things such as:
X-Content-Type-Options: nosniff
The problem is that I can't find the header file to actually add that to.
The website I am working on is academyofperformancearts.com if that helps.
By the way, you could just install a plugin that adds the header you need. For instance Security Headers can
exposes controls for:
HSTS (Strict-Transport-Security)
HPKP (Public-Key-Pins)
Disabling content sniffing (X-Content-Type-Options)
XSS protection (X-XSS-Protection)
Clickjacking mitigation (X-Frame-Options in main site)
I have built a widget using the Fat-Free Framework for a client that should make their life easier, but they also requested that their website is created using Wix. I thought it would be easy to embed this F3 site within the Wix site using their embedding plugins (there are built-in and plug-in versions).
The problem is that regardless of the answers I have received so far on SO and other sites, I still get an X-Frame-Options is set to SAMEORIGIN error. I have tried the following:
header_remove() php command
header('X-Frame-Options: GOFORIT') php command (GOFORIT is for anything but SAMEORIGIN and DENY)
adding &output=embed to the link (this didn't work with F3)
adding the following htaccess code:
Header always append X-Frame-Options SAMEORIGIN
Header set Access-Control-Allow-Origin: "http://editor.wix.com"
Header set Access-Control-Allow-Origin: "http://www.wix.com"
I am afraid that the Wix embed plug-in will be a bit limited and I won't be able to change much on that end. Any ideas what to try next? Is there some configuration for F3 that will help this problem or am I using the PHP code wrong? Does anything need to be configured on the Wix site? Thanks for any help.
Try to set the XFRAME option for the framework:
$f3->set('XFRAME','GOFORIT');
https://github.com/bcosca/fatfree-core/blob/master/base.php#L2153
I didn't look into my .htaccess file. There was the line Header append X-FRAME-OPTIONS "SAMEORIGIN" in there along with some allows for Wix. Simply removing the append line allowed it to be embed.