I have a multimedia site contains thousands of videos. I had to prevent "clickjacking" due to some problems I occured.
The thing is when I include the following header to my httpd.config file, users cannot share my videos through social networks or applications.
Header always append X-Frame-Options SAMEORIGIN
I host the embed videos through https://example.org/embed/VIDEO-ID
Is it possible to disable X-Frame-Options SAMEORIGIN just for embed videos? If so, could you please explain it to me?
What I have tried so far;
I tried to remove header in /embed/ with PHP
I tried to unset the header in /embed/
On httpd I've done the following;
header always append X-Frame-Options SAMEORIGIN
On /embed/ page I am doing the following;
header_remove("X-Frame-Options");
header('X-Frame-Options: GOFORIT');
Related
How can I set X-Frame-Options in my PHP code so that it will be there in all the web pages from my server. Basically, I am trying to avoid iframe loading of my web app.
Use below in your php file which outputs response to client side.
header("X-Frame-Options: DENY");
DENY will fully block. You may try SAMEORIGIN option also.
header("X-Frame-Options: SAMEORIGIN");
If you are using apache web server, you can directly set in httpd.conf also.
<Directory />
...
Header always set X-Frame-Options "SAMEORIGIN"
</Directory>
The X-Frame-Options prevents your site content embedded into other sites. Browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.
There are three options available to set with X-Frame-Options:
‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
‘DENY – This will not allow any website to embed your site pages in an iframe.
We have two way to Setup X-Frame-Options
1. with Apache Configuration
2. with .htaccess
with Apache configuration:
Debian based systems: /etc/apache2/conf-enabled/security.conf
Redhat based systems: /etc/httpd/conf/httpd.conf
Header set X-Frame-Options: "SAMEORIGIN" #Allow for Same Origin (Default Action)
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" #Allow from specific origin
Header set X-Frame-Options: "DENY" #Deny to everyone
with .htaccess
Header append X-Frame-Options: "SAMEORIGIN"
I did not explicitly set anywhere in nginx the x-frame-options to sameorigin but nginx is blocking the html page rendered inside an iframe. Tried specifying the domain in the X-Frame-Options but no luck. Giving several errors in the console if that helps. I read through them and tried fixes but not working.
https://preview.codecanyon.net/item/product-name/product-id
It previews my HTML page in an iframe.
The problem is not about X-Frame-Options but Content-Security-Policy also. Codecanyon set an CSP header that prevent the other sites can frame in their site. Even you allow all sites in your XFO header, they can block your site display in their website with CSP header.
But they are a market, they have to open a way for developer to include an iframe in their preview page. Seems they're not implemented a way for developer provide frame-src in preview page. So Codecanyon's CSP header is in Report only mode. All things is running fine although a lot of error you see from Chrome Developer Console.
By the way, you implemented an syntax error CSP header: unexpected punctuation at the start.
If it helps, I later figured out that setting frame-ancestors to that specific domain allowed that domain to show the page in an iframe. You can do that in the nginx config file.
I found 3 websites that are iframing my website. At first I thought they just copied my theme and are scraping my content. But when I edit my homepage their homepage also changes too automatically.
How can I prevent them from iframing my website. They are using up my server resources and ranking on google also.
What I did so far. (to some extend hindered them from showing my website)
I enabled "Under Attack Mode" on cloudflare which is showing "Checking your browser" repeatedly (https://imgur.com/a/6TpyLyU).
Although there are some iframe buster scripts, you'll be better off adding the X-Frame-Options header to your responses:
X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/
When the browser see's these headers, it will stop from loading your website if it was requested from an iframe.
Update
After better explanation of the problem, this problem can be solved by adding a javascript redirect.
if (window.top.location.href.indexOf("original-website.com") !== -1){
window.location.href = "http://original-website.com"
}
I have built a widget using the Fat-Free Framework for a client that should make their life easier, but they also requested that their website is created using Wix. I thought it would be easy to embed this F3 site within the Wix site using their embedding plugins (there are built-in and plug-in versions).
The problem is that regardless of the answers I have received so far on SO and other sites, I still get an X-Frame-Options is set to SAMEORIGIN error. I have tried the following:
header_remove() php command
header('X-Frame-Options: GOFORIT') php command (GOFORIT is for anything but SAMEORIGIN and DENY)
adding &output=embed to the link (this didn't work with F3)
adding the following htaccess code:
Header always append X-Frame-Options SAMEORIGIN
Header set Access-Control-Allow-Origin: "http://editor.wix.com"
Header set Access-Control-Allow-Origin: "http://www.wix.com"
I am afraid that the Wix embed plug-in will be a bit limited and I won't be able to change much on that end. Any ideas what to try next? Is there some configuration for F3 that will help this problem or am I using the PHP code wrong? Does anything need to be configured on the Wix site? Thanks for any help.
Try to set the XFRAME option for the framework:
$f3->set('XFRAME','GOFORIT');
https://github.com/bcosca/fatfree-core/blob/master/base.php#L2153
I didn't look into my .htaccess file. There was the line Header append X-FRAME-OPTIONS "SAMEORIGIN" in there along with some allows for Wix. Simply removing the append line allowed it to be embed.
I'm using a security scanning tool to check for vulnerabilities of my web application.
One of the results was a low warning about X-Content-Type-Options header being missing.
After some digging around, I found this post on setting apache to emit nosniff headers and I put this code in to httpd.conf file;
<IfModule mod_headers.c>
Header unset ETag
Header set X-Frame-Options: deny
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
</IfModule>
And it worked! But then, my security scanning tool discovered that the 404 Not Found page on my web server was still giving me this warning. I'm guessing that the 404 error page is set to ignore the above rule somehow..
Can someone explain to me how to change this code or suggest an alternative so that error pages are included?
Could someone also maybe explain what the code above is doing? I don't actually know what IfModule or mod_headers.c actually means. Maybe that's why I'm having trouble in the first place.