问题
My Project has ExtJs as Front end and Spring boot as backend. ExtJs will call spring boot which will respond with JSON. I wanted to prevent clickjacking attack in my project. I have a simple html script, which will just load the website in an iframe.If the website is loaded within iframe, then it means it is not secure.I have added the following flags X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none'; in spring boot REST API response to prevent that.But even then, it is not preventing my application to be loaded in iframe. The code to check if clickjacking is possible is
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://localhost:8000" width="1000" height="1000"></iframe>
</body>
</html>`
Here, localhost:8000 refers to extjs URL.I researched and found out that client side validations to prevent clickjacking is not that effective. So is there any options to prevent clickjacking attack in my project
回答1:
Use the 'DENY' option to prevent all framing, or 'SAMEORIGN' to only allow framing by the origin domain if required for application functionality.
Legacy browsers may not support the 'XFRAME OPTIONS' header and require JavaScript based protection against clickjacking. Information about JavaScript based protection can be found at https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Shee
回答2:
X-Frame-Options: DENY should do the trick if it is available in the response header. It won't allow the site to load into iframe by default browser settings. If you may be changed the browser settings or having any plugin that will disable iframe options then it won't work. you can try using another browser or in incognito mode
回答3:
The issue was resolved by setting Header always append X-Frame-Options DENY
in apache server conf file
来源:https://stackoverflow.com/questions/59610943/x-frame-options-deny-is-not-working-for-spring-boot-rest-api