AppSec Blog: Category - Clickjacking

AppSec Blog:

Adoption of X-FRAME-OPTIONS Header

Late 2008, Jeremiah Grossman and Robert Hansen publicized the clickjacking problem and got the web app security experts all trying to come up with solutions. One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame. There are two settings to this header, DENY blocks the content from being in a frame and SAMEORIGIN only allows the content to be framed by pages within the same origin. While it is not the end all and be all of clickjacking solution and won't work in some sites that extensively use frames across multiple sites, it is considered as a more reasonable approach for sites to protect their own content.

Johannes Ullrich and I got a little curious

...