3

I've noticed a few websites deny access from iFrames to their registration and login pages for security reasons. It's a good idea in my opinion.

I'm wondering what settings they need in order to do this as I would like to do the same on my website. The website in question is built in Java and runs on Apache Tomcat.

If anyone knows how this is done it would be great if you could share.

diggersworld
  • 12,770
  • 24
  • 84
  • 119

3 Answers3

4

This is what I used and it worked. I got everything from here: OWASP Clickjacking protection in java

In the web.xml, add one of these in, depending on which policy you want to enforce:

<display-name>OWASP ClickjackFilter</display-name>
    <filter>
        <filter-name>ClickjackFilterDeny</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>DENY</param-value>
        </init-param>
    </filter>

    <filter>
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <filter-class>org.owasp.filters.ClickjackFilter</filter-class>
        <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
    </filter>

     <!--  use the Deny version to prevent anyone, including yourself, from framing the page -->
    <filter-mapping> 
        <filter-name>ClickjackFilterDeny</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <!-- use the SameOrigin version to allow your application to frame, but nobody else
    <filter-mapping> 
        <filter-name>ClickjackFilterSameOrigin</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    -->

    ...

Then in the java code:

public class ClickjackFilter implements Filter 
{

    private String mode = "DENY";

    /**
     * Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
     * decide to implement) not to display this content in a frame. For details, please
     * refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
     */
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletResponse res = (HttpServletResponse)response;
        //If you have Tomcat 5 or 6, there is a known bug using this code.  You must have the doFilter first:
        chain.doFilter(request, response);
        res.addHeader("X-FRAME-OPTIONS", mode );            
        //Otherwise use this:
        //res.addHeader("X-FRAME-OPTIONS", mode );          
        //chain.doFilter(request, response);

    }

    public void destroy() {
    }

    public void init(FilterConfig filterConfig) {
        String configMode = filterConfig.getInitParameter("mode");
        if ( configMode != null ) {
            mode = configMode;
        }
    }
TylerH
  • 20,799
  • 66
  • 75
  • 101
James Drinkard
  • 15,342
  • 16
  • 114
  • 137
  • Thanks! Just to add, that the java code needs to be compiled into a .jar and placed in the Tomcat/lib directory – gordon613 Mar 07 '17 at 17:56
3

well, you should use the x-frame-options.

read this article, hope it helps:

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

I'm not familiar with jsp and servlets, but i think you could do something like this:

public class NoIFrameAllowedServlet extends HttpServlet {

  public void doGet(HttpServletRequest request,
                    HttpServletResponse response)
      throws ServletException, IOException {
      response.setHeader("X-Frame-Options", "SAMEORIGIN");
    }
try2fly.b4ucry
  • 152
  • 2
  • 7
0

You can detect iframe with JavaScript:

location.href != top.location.href -> iframe.

Also you can use "X-Frame-Options" HTTP header.

Artem
  • 4,347
  • 2
  • 22
  • 22