Alpha Video Training
Results 1 to 12 of 12

Thread: How do i set X-Frame-Options in my app's response header?

  1. #1
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,040

    Default How do i set X-Frame-Options in my app's response header?

    Hi
    After running a penetration test into my server, as part of a security compliance checking, they found out a medium risk issue, called "framing attacks". Here is the recommendation as how to fix it:

    To effectively prevent framing attacks,
    the application should return a response
    header with the name X-Frame-Options
    and the value DENY to prevent framing
    altogether, or the value SAMEORIGIN to
    allow framing only by pages on the same
    origin as the response itself.
    How do implement this in my AA apps?

    Many thanks
    Jaime

  2. #2
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,040

    Default Re: How do i set X-Frame-Options in my app's response header?

    Bump. This is the only issue left in a penetration test of my server ...
    I'd like to set X-Frame-Options to SAMEORIGIN in all my apps...it would be great if could be done through the Application server, or through some project defaults

  3. #3
    Member
    Real Name
    Alex
    Join Date
    Oct 2015
    Location
    Perth, WA Australia
    Posts
    145

    Default Re: How do i set X-Frame-Options in my app's response header?

    Hi Jaime
    Look at https://developer.mozilla.org/en-US/...-Frame-Options
    This does show the answer if you are using iis
    Alex Collier

    "The spread of computers and the Internet will put jobs in two categories. People who tell computers what to do, and people who are told by computers what to do"

    AA Builds from 5221_5152 to Pre-releases >> Deploying to IIS in AWS

  4. #4
    "Certified" Alphaholic
    Real Name
    Jaime Ben David
    Join Date
    Jan 2011
    Location
    Karkur, Israel
    Posts
    1,040

    Default Re: How do i set X-Frame-Options in my app's response header?

    Thanks Alex. I saw this page before, but i am using the Application Server.

  5. #5
    Member
    Real Name
    Alan Owen / Toby Burton / Jamie Eccott
    Join Date
    Feb 2010
    Location
    England
    Posts
    196

    Default Re: How do i set X-Frame-Options in my app's response header?

    Context.Response.Headers.Set() is an option in alpha, but is is not documented. We have the same issue

  6. #6
    "Certified" Alphaholic kkfin's Avatar
    Real Name
    Kenneth
    Join Date
    Dec 2006
    Location
    EU
    Posts
    1,543

    Default Re: How do i set X-Frame-Options in my app's response header?

    At least in the better one AA server you can put it like response.addHeader("Header", "Value")

    Kenneth

  7. #7
    Member
    Real Name
    Alan Owen / Toby Burton / Jamie Eccott
    Join Date
    Feb 2010
    Location
    England
    Posts
    196

    Default Re: How do i set X-Frame-Options in my app's response header?

    Thanks for this. All working now.

  8. #8
    VAR
    Real Name
    Mike Reed
    Join Date
    Apr 2000
    Location
    Phoenix, AZ
    Posts
    667

    Default Re: How do i set X-Frame-Options in my app's response header?

    Hi,
    I am trying to add this to our site would this be the proper format for the command:

    <%a5
    Context.Response.Headers.Set("X-Frame-Options", "sameorigin")
    %>
    I assume this would in the index page in the header section. Is that right?

    Thanks,
    Mike
    Mike Reed
    Phoenix, AZ

  9. #9
    "Certified" Alphaholic kkfin's Avatar
    Real Name
    Kenneth
    Join Date
    Dec 2006
    Location
    EU
    Posts
    1,543

    Default Re: How do i set X-Frame-Options in my app's response header?

    It sets header to the page where code is. Set overwrites Add adds.

  10. #10
    VAR
    Real Name
    Mike Reed
    Join Date
    Apr 2000
    Location
    Phoenix, AZ
    Posts
    667

    Default Re: How do i set X-Frame-Options in my app's response header?

    I guess I didn't properly ask the question, my bad.

    Is the command I have shown correct in its syntax?
    Is the command done with Xbasic as I have done?

    I placed the Xbasic code just about the <head> mark on the index page. Is that the proper place to put it?

    Thanks,

    Mike
    Mike Reed
    Phoenix, AZ

  11. #11
    "Certified" Alphaholic kkfin's Avatar
    Real Name
    Kenneth
    Join Date
    Dec 2006
    Location
    EU
    Posts
    1,543

    Default Re: How do i set X-Frame-Options in my app's response header?

    Syntax is right. But you can also use Context.Response.Headers.Add("X-Frame-Options", "sameorigin"). The difference is what I did say in previous post.

    It does not matter where you put the xbasic code. It will be executed anyway before the page is rendered in browser.

  12. #12
    VAR
    Real Name
    Mike Reed
    Join Date
    Apr 2000
    Location
    Phoenix, AZ
    Posts
    667

    Default Re: How do i set X-Frame-Options in my app's response header?

    Thank you, I’m not very good at this stuff, so I just needed to double check.

    Peace,
    Mike
    Mike Reed
    Phoenix, AZ

Similar Threads

  1. Need some Help setting Content Type Response Header
    By aburningflame in forum Mobile & Browser Applications
    Replies: 1
    Last Post: 08-13-2015, 01:53 PM
  2. Accept Ranges Response header
    By aburningflame in forum Application Server Version 11 - Web/Browser Applications
    Replies: 1
    Last Post: 02-14-2014, 10:06 AM
  3. Response.StatusCode and Response.StatusDescription errors
    By waldhorn in forum Application Server Version 11 - Web/Browser Applications
    Replies: 4
    Last Post: 07-30-2012, 02:17 PM
  4. Report header printing below page header
    By Working Vern in forum Alpha Five Version 7
    Replies: 2
    Last Post: 09-07-2007, 03:27 PM
  5. Modifying the Response Header
    By Howard G. Cornett in forum Web Application Server v7
    Replies: 2
    Last Post: 07-29-2006, 02:32 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •