Home
> Uncategorized > Prevent #Clickjacking in c# / #asp.net
Prevent #Clickjacking in c# / #asp.net
Clickjacking is when someone loads your website / content in an iFrame without your consent. This may be part of a simple DDOS attack, or to spoof CPC traffic, or to embed your functionality or content without the visitor actually seeing your website.
Modern browsers offer a facility called CSP or “Content-Security-Policy”, which can be added as a HTTP header to prevent this sort of unauthorised activity.
You have different options, i.e.
To prevent all framing of your content use:
Content-Security-Policy: frame-ancestors 'none'
To allow for your site only, use:
Content-Security-Policy: frame-ancestors 'self'
To allow for trusted domain (my-trusty-site.com), do the following:
Content-Security-Policy: frame-ancestors my-trusty-site.com
and in order to add this to your ASP.NET page, (C#) you add the code
Response.Headers.Add(“Content-Security-Policy”, “frame-ancestors customer.website.com”);
Categories: Uncategorized
Comments (0)
Trackbacks (0)
Leave a comment
Trackback