HTTP headers are a type of metadata sent with web requests and responses, the information they provide can be important or simply be informational. Security headers are a subset of the “Response headers” that can be set by the web server, they are one of the features that can help address a number of security issues. One of the security headers, called “X-Frame-Options” is designed to prevent click-jacking attacks.
Click-jacking, also known as “User Interface Redressing”, is an issue where an attacker is able to trick a user into clicking on something that isn’t what it appears to be. For websites, this is done by overlaying a transparent website over a visible one. In this type of attack the user thinks that they’re interacting with the visible website but in reality, they’re unwittingly affecting the transparent website.
For example, an attacker could set up a website that makes it likely that a user clicks on a button, perhaps a play button for a video. In a transparent layer over the top of that webpage is a second webpage, such as the webpage to delete your Facebook account with the “Delete account” button positioned directly over the play button. In this scenario when the user tries to click play, they actually click the button to delete their Facebook account.
Click-jacking relies on the ability to display the target website over the top of the dummy website, through a process called “Framing”. Framing uses the HTML element “iframe” which can load an entire separate webpage within another page. By loading the target webpage in a frame, positioning it carefully, and turning it transparent, the victim will be completely unaware that they’re being tricked into performing an action.
The HTTP response header “X-Frame-Options” is an optional feature that can be set for websites in the server configuration files. X-Frame-Options prevents webpages from being loaded in iframes, which prevents it from being overlaid over another website. The victim’s browser actually applies the security control, this is because all browsers respect the X-Frame-Options header and will refuse to load any webpages with the header set in a frame.
The header allows the website owner to configure how restrictive the setting is. There are two settings: “X-Frame-Options: DENY” prevents a protected webpage from ever being framed. The other option, “X-Frame-Options: SAMEORIGIN”, allows protected webpages to be framed, only if the page loading the frame has the same domain name. In this case, you can load a frame on your own website but no one else can load it on theirs.