Difference between revisions of "Clickjacking Protection"

From GeeklogWiki
Jump to: navigation, search
(Clickjacking Protection)
(No difference)

Revision as of 15:51, 14 June 2009

What is it?

The term Clickjacking describes a malicious technique where a user is fooled into clicking what appears to be a harmless button or link on a page, while they are actually triggering some other action (see the Wikipedia article for details).


Protection

Clickjacking depends on the use of frames. Therefore, one option to protect your website from being used in clickjacking attempts is to use a JavaScript "frame killer" script.

Another option depends on support by the web browser. The browser is looking for a HTTP header, X-FRAME-OPTIONS. When present, this header indicates that the website in question would rather not be displayed inside a frame. So if the browser then finds that that is the case, it refuses to display the page, therefore protecting the visitor from being fooled.

The X-FRAME-OPTIONS header was introduced by Microsoft and is interpreted as of Internet Explorer 8. At the time of this writing, Safari 4 was the only other released browser to also respect this header, but other browsers will surely follow soon.


Configuration

Clickjacking protection using the X-FRAME-OPTIONS is enabled by default in Geeklog. You will find the option in the Configuration Admin panel under

Configuration > Geeklog > Miscellaneous > Miscellaneous > Protection against "clickjacking"

There are 3 options:

  • Strict (default) will not allow any framing
  • Same Origin will allow pages on the same domain to frame pages, but will not allow framing by other sites
  • (disabled) will disable clickjacking protection.

We strongly advise not to disable this option.