This page is exposed to "clickjacking" type attacks
Keep malicious people from integrating your pages into their websites.
Clickjacking explained
This kind of attack happens when your page gets integrated with a malicious website via <frame> or <iframe> tags. By doing this, attackers can persuade users that they are on your own page when they are not. The unsuspecting user may enter personal information that is visible on and thus vulnerable to the malicious website.
To avoid this, always indicate which domains have permission to integrate your pages.
How to prevent clickjacking?
There are two main ways to prevent that behavior.
1/ Configure a "X-Frame-Options" HTTP header. Configure your server so the main resource response includes the "X-Frame-Options" HTTP header.
Three values may be defined:
DENYto prevent any frame or iframe from integrating the page;SAMEORIGINto authorize only frames from the same domain name;ALLOW-FROM urito indicate the domains allowed to integrate a page into frame (however is not compatible with some browsers)
2/ Define an explicit frame-ancestors directive into a Content-Security-Policy HTTP Header. "frame-ancestors" directive is a newer, hence supported by fewer browsers, approach that will allow your website to authorize multiple domains instead of only the current origin. Setting this directive to 'none' is similar to X-Frame-Options: DENY.
Which approach to choose? If you only have the current domain to allow, do set up the two security features, for better compatibility with older browsers. If you want to allow multiple domains, you should only implement the frame-ancestors security policy.
Neither the "X-Frame-Options" HTTP header nor the "frame-ancestors" security police are configured on this page; you are more likely to be exposed to clickjacking.
没有评论:
发表评论
注意:只有此博客的成员才能发布评论。