Clickjacking is a method where a user is tricked into clicking a concealed link meaning that user's could be tricked into doing something they did not intend. For commercial sites and social networking sites this can often have disastrous consequences.
According to security researching sites even the top 500 sites ranked by Alexa are vulnerable to clickjacking despite their attempts at blocking it. One of the more well known clickjacking attempts was in embedding Twitter on a site which would post status updates without the user's knowledge. Even after they closed up that vulnerability they had left open the vulnerability in their mobile version of the page which meant further attacks.
- SAMEORIGIN: can only be embedded inside frames on pages within the same domain,
- DENY: can not be embedded within a frame on any page no matter what the source.
You can either send this header on per-script basis or for all resources on your site. If you're using PHP then a simple way of sending the header is to use:
<php header('X-FRAME-OPTIONS: sameorigin');
If instead you want to send the header for all resources then in Apache you will need to ensure you have mod_headers included so that you can add the following to either a virtual host or your httpd.conf:
Header always append x-frame-options SAMEORIGIN
With IIS you can also send this header by right-clicking on your site and going to properties. From the window that appears click on the HTTP Headers tab and then add this as a custom header.
Unfortunately as this is a new standard it is not supported by all browsers. At present it is supported by:
- Firefox 3.6.9+ (or with the NoScript addon)
- Opera 10.50+
- Safari 4.0+
- Chrome 22.214.171.1242+
So the browsers which are listed above or newer will have the best protection, but for those not listed the best alternative is to fall back to the less effective framekiller methods.