防止網頁被別人嵌入 iframe x-frame-options 設定
x-frame-options 可防止嶔入有三種模式如下:
· DENY
Deny all attempts to frame the page
· SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
· ALLOW-FROM origin
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted
to load this page inside an iframe
一般HTML設定方式:
方法1:
直接設定在 Global.asax
方法2:
直接設定在 Web.Config
<system.webServer> 下的 <httpProtocol> 下的 <customHeaders> 裡加入
HP弱點代號:Cross-Frame Scripting (11293)
· DENY
Deny all attempts to frame the page
· SAMEORIGIN
The page can be framed by another page only if it belongs to the same origin as the page being framed
· ALLOW-FROM origin
Developers can specify a list of trusted origins in the origin attribute. Only pages on origin are permitted
to load this page inside an iframe
一般HTML設定方式:
<meta http-equiv="X-Frame-Options" content="deny">
方法1:
直接設定在 Global.asax
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
Response.Headers("X-FRAME-OPTIONS") = "DENY"
End Sub
方法2:
直接設定在 Web.Config
<system.webServer> 下的 <httpProtocol> 下的 <customHeaders> 裡加入
HP弱點代號:Cross-Frame Scripting (11293)
留言
張貼留言