Forum Discussion

NickLuckcuck_32's avatar
NickLuckcuck_32
Icon for Nimbostratus rankNimbostratus
Aug 08, 2018

ASM X-FRAME-OPTIONS identification of issues prior to deployment.

Hi All,

 

I am looking at deploying an ASM policy, this policy will activate the X-FRAME-OPTIONS header.

 

My question is: is there a sensible way of understanding if any of my customers are using our service within iframes? and would therefore be affected by the new header setting.

 

Thanks

 

Nick

 

2 Replies

  • This is not easy as only the browser knows if a website is rendered in an iframe of a full window.

     

    One way of getting that information is to use CSP (Content Security Policy) in Report-Only mode with the equivalent setting of X-FRAME-OPTIONS header and send reports to a CSP reporting service such as report-uri.com

     

    Beware that if you find out that people are indeed "framing" your website they are just as likely to be hackers/attackers as legit customers - not quite sure how you would distinguish between them.

     

  • I don't know what kind of application/website you secure but X-Frame-Options allowed you to prevent clickjacking attacks. And also the reputation of your site that can be hosted anywhere through an Iframe.

     

    I think you should do it differently. block it and if someone need that your application have to be hosted trough an Iframe he must clearly justify it... and In F5 you have tha availlability to allow X-Frame-Options for a specific domain:

     

    https://support.f5.com/csp/article/K16642

     

    let me now if you need more details.

     

    regards