S 4.406 Prevention of clickjacking

Initiation responsibility: Head of Development, Persons responsible for individual applications

Implementation responsibility: Developer, Administrator

If the web application is the target of a clickjacking attack, then the contents of the web application are integrated into an invisible frame. If a user visits a website into which this frame has been integrated, then clicks on visible contents are intercepted by an invisible frame without being noticed by the user. If the user is logged in on the web application, then access-protected actions can thus be carried out in the web application in an unauthorised manner. To prevent this, the web application must ensure that the contents of its own web application are not used in frames.

Therefore, the following countermeasures to prevent clickjacking should be implemented:

• Embedded code (e.g. JavaScript) in the websites should check and ensure on the client that the contents of the web application are displayed at the top level of the browser window. This is to prevent other levels from overlapping the original contents of the website. If this is not possible, then the display of the web application should be prevented (see Script on the prevention of clickjacking in Resources for the Web application module).
• For the delivery of the websites by the web application, the X-FRAME-OPTIONS directive should be set in addition to this in the HTTP response headers. X-FRAME-OPTIONS DENY prevents the contents of the website being displayed in a frame. As an alternative, this restriction can be limited to pages that do not come from the same domain (X-FRAME-OPTIONS SAMEORIGIN).

Review questions:

• Is it ensured on all websites of the web application that the contents are only displayed at the top level of the browser window?
• Has the X-FRAME-OPTIONS directive been set in the HTTP response headers of the web application?