Thursday, May 3, 2012

Deny IFrames with X-Frame-Options

While researching an issue in which I was trying to prevent our login page from being displayed inside an iframe, I found a great StackOverflow question. The first answer was interesting, but the second was awesome!

Turns out you can prevent anybody using a modern browser from seeing your page in an iframe by using the X-Frame-Options header. Eric Lawrence details the various options here; for us the perfect version would be X-Frame-Options:SAMEORIGIN.

I still needed the frame-busting JavaScript for our issue (the login page was showing on a session timeout) but this header is my new best friend.

No comments: