Blogging Techstacks

JavaScript framekillers (aka framebusters) are simple scripts that you can add to web pages that prevent your site's pages from being framed by another site. Clickjacking extends this framing technique a little further by tricking users into doing terribly unwanted things. When release candidate 1 of Internet Explorer 8 was released, Microsoft introduced a combination browser/web server technique for guarding against clickjacking by utilizing a new HTTP Response Header called 'X-Frame-Options'. Although it only works with IE8 (and not earlier versions of Internet Explorer), it does address problems in IE that render 'traditional' javascript framekillers useless.

X-Frame-Options can be set with one of two values: "deny", which prevents any kind of framing and "sameorigin", which prevents any kind of framing except from the same URL hosting the framed page.

If you want to set this up on your apache server, add the following line somewhere in your httpd.conf (or in one of your included configuration files).

Header always append X-Frame-Options SAMEORIGIN

If you're using a BigIP load-balancer, you can create an irule that will set this response header as well. The irule is really easy as well:

when HTTP_RESPONSE { 
 HTTP::header insert "X-FRAME-OPTIONS" “(DENY || SAMEORIGIN)”
}

Setting it up under IIS is easy, too. Simply open up the Internet Service Manager, click the HTTP Headers tab, then click the Add.. button in the Custom Headers section. In the text box for Customer Header Name enter "X-Frame-Options" and in the Custom Header Value enter "DENY" or "SAMEORIGIN".

This solution looks promising. Apple Safari 4, IE8, and Google Chrome 2 already support the X-Frame-Options response header and hopefully Firefox will have native support soon as well. Browsers that don't support the header will ignore it. Until then, some combination of javascript framebusting and setting this header are still necessary.