X-Frame-Options: DENY 在 Spring Boot REST API 中不起作用。

huangapple go评论83阅读模式
英文:

X-Frame-Options: DENY is not working for spring boot REST API

问题

我的项目使用ExtJs作为前端,Spring Boot作为后端。ExtJs将调用Spring Boot,后者将以JSON响应。我想要防止clickjacking攻击在我的项目中发生。我有一个简单的HTML脚本,它只会在iframe中加载网站。如果网站在iframe中加载,那么这意味着它不安全。我已经在Spring Boot REST API响应中添加了以下标志以防止这种情况发生:X-Frame-Options: DENYContent-Security-Policy: frame-ancestors 'none';。但即使如此,它仍然无法阻止我的应用程序被加载在iframe中。用于检查是否可能发生clickjacking的代码如下:

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://localhost:8000" width="1000" height="1000"></iframe>
</body>
</html>

这里的localhost:8000是指ExtJs的URL。我进行了研究,并发现客户端端验证以防止clickjacking并不是非常有效。那么,有没有办法在我的项目中防止clickjacking攻击呢?

英文:

My Project has ExtJs as Front end and Spring boot as backend. ExtJs will call spring boot which will respond with JSON. I wanted to prevent clickjacking attack in my project. I have a simple html script, which will just load the website in an iframe.If the website is loaded within iframe, then it means it is not secure.I have added the following flags X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors &#39;none&#39;; in spring boot REST API response to prevent that.But even then, it is not preventing my application to be loaded in iframe. The code to check if clickjacking is possible is

<!-- begin snippet: js hide: false console: true babel: false -->

<!-- language: lang-html -->

&lt;html&gt;
&lt;head&gt;
&lt;title&gt;Clickjack test page&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;p&gt;Website is vulnerable to clickjacking!&lt;/p&gt;
&lt;iframe src=&quot;http://localhost:8000&quot; width=&quot;1000&quot; height=&quot;1000&quot;&gt;&lt;/iframe&gt;
&lt;/body&gt;
&lt;/html&gt;

<!-- end snippet -->

</html>`

Here, localhost:8000 refers to extjs URL.I researched and found out that client side validations to prevent clickjacking is not that effective. So is there any options to prevent clickjacking attack in my project

答案1

得分: 0

使用'DENY'选项以防止所有框架,或者'SAMEORIGIN'选项,仅在应用程序功能需要时允许由原始域进行框架设置。

旧版浏览器可能不支持'XFRAME OPTIONS'头部,需要基于JavaScript的防止点击劫持保护。有关基于JavaScript的保护信息,请查阅https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Shee。

英文:

Use the 'DENY' option to prevent all framing, or 'SAMEORIGN' to only allow framing by the origin domain if required for application functionality.

Legacy browsers may not support the 'XFRAME OPTIONS' header and require JavaScript based protection against clickjacking. Information about JavaScript based protection can be found at https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Shee

答案2

得分: 0

X-Frame-Options: DENY如果在响应头中可用,应该能起作用。它将阻止网站在默认浏览器设置下加载到iframe中。如果您可能已更改浏览器设置或安装了禁用iframe选项的插件,那么它将无效。您可以尝试使用另一种浏览器或进入无痕模式。

英文:

X-Frame-Options: DENY should do the trick if it is available in the response header. It won't allow the site to load into iframe by default browser settings. If you may be changed the browser settings or having any plugin that will disable iframe options then it won't work. you can try using another browser or in incognito mode

答案3

得分: 0

问题已通过在Apache服务器配置文件中设置Header always append X-Frame-Options DENY来解决。

英文:

The issue was resolved by setting Header always append X-Frame-Options DENY
in apache server conf file

huangapple
  • 本文由 发表于 2020年1月6日 19:03:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/59610943.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定