Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Adding the X-Frame-Options DENY to the response header helps protect against malicious framing of the web page and as a solution it’s certainly better that client-side JavaScript solutions.
But just how useful is it? Is is supported by all (modern) browsers and can it be bypassed by hackers intent on hijacking your site?
EricLaw’s page maintains a list of supporting browsers.
Current verions of the major desktop browsers all support it; older versions and niche and some mobile browsers don’t. So you will probably want to include an anti-framing
<script>as well, to settop.location(and remove the page content first in case of anti-frame-busting; see this question for why).You might prefer the script approach to
X-Frame-Optionswhen you want to selectively allow framing.X-Frame-Optionsdoes not permit ‘whitelisting’, so you can’t eg allow Google Images traffic but not others.Either way, IE6-7 will still allow attackers to frame your page and disable the frame-buster. Unfortunately the questionable
<iframe security>attribute existed beforeX-Frame-Options. You could try adding<base target="_top">to try to make any navigation break out traditional framing (or just not work, in the presence of anti-frame-busters), but this can’t help you against invisible-iframe-overlay attacks.