We can use an HTTP response header called x-frame-options to combat clickjacking on our web application. We could do this in any of the following two implementations.
- When your application starts up, you can place the following code in a module that implements IHttpModule.
Set the x-frame-options header to "DENY" when the web application starts up:
public void Init(HttpApplication application)
{
application.BeginRequest += (new
EventHandler(this.Application_BeginRequest));
}
private void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext context = ((HttpApplication)source).Context;
context.Current.Response.AddHeader("x-frame-options", "DENY");
}
The main thing we are doing here is setting the x-frame-options HTTP header to DENY, but it is advisable to actually do this within your Internet Information Services (IIS) if this is your hosting option.
- You could do so by going into the IIS Manager, and then with your website selected, do the following:
- Select or double-click to edit the HTTP response headers from the list of features.
- You will then click Add... from the Actions section on the right. See the following screenshot:
-
- A pop-up box will appear and then you can type X-Frame-Options in the Name input box, and SAMEORIGIN in the Value input box. Instead of SAMEORIGIN, you can also choose to type DENY and it will all serve the same purpose of protecting you from clickjacking.
Most of the previously mentioned potential attacks originate from an active hacking intent, devising ways and means to find loopholes to get into vulnerable web applications. However, as a web application developer with ASP.NET Core 3, the following vulnerability emanates from a bit of carelessness that you should always avoid.