While researching an issue in which I was trying to prevent our login page from being displayed inside an iframe, I found a great StackOverflow question. The first answer was interesting, but the second was awesome!
Turns out you can prevent anybody using a modern browser from seeing your page in an iframe by using the X-Frame-Options header. Eric Lawrence details the various options here; for us the perfect version would be X-Frame-Options:SAMEORIGIN.
I still needed the frame-busting JavaScript for our issue (the login page was showing on a session timeout) but this header is my new best friend.
I still needed the frame-busting JavaScript for our issue (the login page was showing on a session timeout) but this header is my new best friend.
No comments:
Post a Comment