Http Response 에 아래 값을 넣어주면 됨
Key : X-Frame-Options
Value : SAMEORIGIN
X-Frame-Options 옵션 값
DENY |
해당 페이지는 frame을 표시할 수 없다. |
SAMEORIGIN |
해당 페이지와 동일한 orgin에 해당하는 frame만 표시할 수 있다. |
ALLOW-FROM uri |
해당 페이지는 지정된 orgin에 해당하는 frame만 표시할 수 있다. |
* X-Frame-Options 는 그 명칭에서도 알 수 있듯이 확장 해더이기때문에 모든 브라우저가 해당 옵션에 대해 동작하는것은 아니다.
크롬 4.1 , IE 8 , 오페라 10.5 , 사파리 4.0 , 파이어폭스 3.6.9 이상에서는 DENY , SAMEORIGIN 이 적용되며, ALLOW-FROM 은 각 브라우저 마다 지원 현황이 다르다.
* Apache 설정
환경파일 중 해당태그 (<Directory>, <Location>, <Files>, <VirtualHost>) 안에 아래 코드 추가
Header always append X-Frame-Options SAMEORIGIN |
* Java Application
response.addHeader("X-Frame-Options", "SAMEORIGIN"); |
* Application Filter
- web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>OWASP ClickjackFilter</display-name>
<filter>
<filter-name>ClickjackFilterDeny</filter-name>
<filter-class>org.owasp.filters.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>DENY</param-value>
</init-param>
</filter>
<filter>
<filter-name>ClickjackFilterSameOrigin</filter-name>
<filter-class>org.owasp.filters.ClickjackFilter</filter-class>
<init-param>
<param-name>mode</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<!-- use the Deny version to prevent anyone, including yourself, from framing the page -->
<filter-mapping>
<filter-name>ClickjackFilterDeny</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- use the SameOrigin version to allow your application to frame, but nobody else
<filter-mapping>
<filter-name>ClickjackFilterSameOrigin</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
</web-app> |
- source
package org.owasp.filters; import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
public class ClickjackFilter implements Filter
{
private String mode = "DENY";
/**
* Add X-FRAME-OPTIONS response header to tell IE8 (and any other browsers who
* decide to implement) not to display this content in a frame. For details, please
* refer to http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx.
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletResponse res = (HttpServletResponse)response;
res.addHeader("X-FRAME-OPTIONS", mode );
chain.doFilter(request, response);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) {
String configMode = filterConfig.getInitParameter("mode");
if ( configMode != null ) {
mode = configMode;
}
}
} |
* javascript
<script> if(top != window) {
top.location = window.location
}
</script> |