[Turn] X-Frame-Options prevent web pages from being placed in iframes
What are X-Frame-Options?
X-Frame-Options is an HTTP header (header) used to tell the browser whether this page can be placed in an iFrame. E.g:
The first example tells the browser not to (DENY) put the page in an iFrame, usually to help users fight clickjacking.
The second example tells the browser to display the content of a page that issues X-Frame-Options only if the site hosting the iFrame is the same site that issued the X-Frame-Options.
The third example tells the browser that this web page can only be placed in the iFrame set up by the http://caibaojian.com// web page.
A web page that does not specify X-Frame-Options means that it can be placed inside any iFrame.
X-Frame-Options can protect your web pages from being placed in iFrames set by malicious websites, making users a victim of clickjacking.
There are two possible values for using X-Frame-Options:
Sometimes in order to prevent the webpage from being iframed by other people's websites, we can set the X-Frame-Options information in the HTTP header on the server side.
The X-Frame-Options response header has three optional values:
DENY: The page cannot be embedded in any iframe or frame;
SAMEORIGIN: The page can only be embedded in an iframe or frame by the page of this site;
ALLOW-FROM: The page allows frame or frame loading.
The way to set it on the server is as follows:
Java code: response.addHeader( " x-frame-options " , " SAMEORIGIN " ); Nginx configuration: add_header X -Frame- Options SAMEORIGIN Apache configuration: Header always append X -Frame-Options SAMEORIGIN
In addition, after checking the latest information, you can also set it directly through the meta tag, no need to put it in the http header request.
Two parameters: (the role is the same as above)
Solution: Add the following configuration to web.config
<system.webServer> ... <httpProtocol> <customHeaders> <add name= " X-Frame-Options " value= " SAMEORIGIN " /> </customHeaders> </httpProtocol> ... </system.webServer>