新闻建站cms系统、政府cms系统定制开发

广州网站建设公司-阅速公司

asp.net新闻发布系统、报纸数字报系统方案
/
http://www.ysneo.com/
广州网站建设公司
您当前位置:首页>网站技术

网站技术

X-Frame-Options Header未设置

发布时间:2017/6/1 11:45:03  作者:Admin  阅读:724  

广告:

X-Frame-Options Header未设置 (Clickjacking: X-Frame-Options header missing)

Severity: low

Type: Configuration

CWE:CWE-693 :Protection Mechanism Failure

Description

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious te chnique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of t heir computer while clicking on seemingly innocuous web pages.

The server didn't return an X-Frame-Options header which means that this website could be at ris k of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whe ther or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other si tes.

Impact

The impact depends on the affected web application.

Recommendation

Configure your web server to include an X-Frame-Options header. Consult Web references for more information about the possible values for this header.

References

The X-Frame-Options response header

Clickjacking

OWASP Clickjacking

Defending with Content Security Policy frame-ancestors directive

Frame Buster Buster

Affected items

1.Impact target:Web Server

details:

No details are available. request:

GET / HTTP/1.1

Host: demo.53bk.com

Connection: Keep-alive

Accept-Encoding: gzip,deflate

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chr ome/41.0.2228.0 Safari/537.21

Accept: */* response: HTTP/1.1 200 OK Server: Tengine

Date: Thu, 18 May 2017 09:12:19 GMT Content-Type: text/html; charset=gb2312

Content-Length: 16477

Cache-Control: public, max-age=561

Expires: Thu, 18 May 2017 09:21:40 GMT

Last-Modified: Thu, 18 May 2017 07:20:00 GMT X-AspNetMvc-Version: 2.0

X-AspNet-Version: 2.0.50727

X-Powered-By: ASP.NET

防止某些重要网页被其他网站框架导入,可以给页面增加X-Frame-Options响应头

asp

<%

response.AddHeader "X-Frame-Options","Deny"

%>

Asp.Net

Response.AddHeader("X-Frame-Options", "Deny");

PHP

header('X-Frame-Options:Deny');

X-Frame-Options响应头可用值有

DENY:浏览器拒绝当前页面加载任何Frame页面

SAMEORIGIN:frame页面的地址只能为同源域名下的页面

ALLOW-FROM:origin为允许frame加载的页面地址

如果确认你整个网站都不能被框架,可以直接设置web服务器,增加X-Frame-Options响应头。IIS如下图所示,增加http头

http头名: X-Frame-Options

http头值: SAMEORIGIN

广告:

相关文章
X-Frame-Options
cms新闻系统购买咨询
扫描关注 广州阅速软件科技有限公司
扫描关注 广州阅速科技